From 01b0520aecd6067d81a1c5ad2f185cc6ca5be462 Mon Sep 17 00:00:00 2001
From: Just Call Me Koko <at.the.red.team@gmail.com>
Date: Sat, 18 Jun 2022 03:22:13 -0400
Subject: [PATCH] AP obfuscation attack

---
 esp32_marauder/CommandLine.cpp |  2 +-
 esp32_marauder/CommandLine.h   |  2 +-
 esp32_marauder/WiFiScan.cpp    | 80 +++++++++++++++++++---------------
 esp32_marauder/configs.h       |  6 +--
 4 files changed, 49 insertions(+), 41 deletions(-)

diff --git a/esp32_marauder/CommandLine.cpp b/esp32_marauder/CommandLine.cpp
index bc94a6c..e4c08fe 100644
--- a/esp32_marauder/CommandLine.cpp
+++ b/esp32_marauder/CommandLine.cpp
@@ -199,7 +199,7 @@ void CommandLine::runCommand(String input) {
 
     // AP Scan
     if (cmd_args.get(0) == SCANAP_CMD) {
-      int full_sw = this->argSearch(&cmd_args, "-f");
+      int full_sw = -1;
       #ifdef HAS_SCREEN
         display_obj.clearScreen();
         menu_function_obj.drawStatusBar();
diff --git a/esp32_marauder/CommandLine.h b/esp32_marauder/CommandLine.h
index 90e8559..ae49607 100644
--- a/esp32_marauder/CommandLine.h
+++ b/esp32_marauder/CommandLine.h
@@ -71,7 +71,7 @@ const char PROGMEM HELP_UPDATE_CMD_A[] = "update -s";
 const char PROGMEM HELP_UPDATE_CMD_B[] = "update -w";
 
 // WiFi sniff/scan
-const char PROGMEM HELP_SCANAP_CMD[] = "scanap [-f]";
+const char PROGMEM HELP_SCANAP_CMD[] = "scanap";
 const char PROGMEM HELP_SNIFF_BEACON_CMD[] = "sniffbeacon";
 const char PROGMEM HELP_SNIFF_PROBE_CMD[] = "sniffprobe";
 const char PROGMEM HELP_SNIFF_PWN_CMD[] = "sniffpwn";
diff --git a/esp32_marauder/WiFiScan.cpp b/esp32_marauder/WiFiScan.cpp
index 7dac636..c66c596 100644
--- a/esp32_marauder/WiFiScan.cpp
+++ b/esp32_marauder/WiFiScan.cpp
@@ -517,10 +517,10 @@ void WiFiScan::RunAPScan(uint8_t scan_mode, uint16_t color)
   esp_wifi_start();
   esp_wifi_set_promiscuous(true);
   esp_wifi_set_promiscuous_filter(&filt);
-  if (scan_mode == WIFI_SCAN_TARGET_AP_FULL)
-    esp_wifi_set_promiscuous_rx_cb(&apSnifferCallbackFull);
-  else
-    esp_wifi_set_promiscuous_rx_cb(&apSnifferCallback);
+  //if (scan_mode == WIFI_SCAN_TARGET_AP_FULL)
+  esp_wifi_set_promiscuous_rx_cb(&apSnifferCallbackFull);
+  //else
+  //  esp_wifi_set_promiscuous_rx_cb(&apSnifferCallback);
   esp_wifi_set_channel(set_channel, WIFI_SECOND_CHAN_NONE);
   this->wifi_initialized = true;
   initTime = millis();
@@ -1389,13 +1389,15 @@ void WiFiScan::apSnifferCallbackFull(void* buf, wifi_promiscuous_pkt_type_t type
         
         ap.beacon = new LinkedList<char>();
 
-        for (int i = 0; i < len; i++) {
-          ap.beacon->add(snifferPacket->payload[i]);
-        }
+        //for (int i = 0; i < len; i++) {
+        //  ap.beacon->add(snifferPacket->payload[i]);
+        //}
+        ap.beacon->add(snifferPacket->payload[34]);
+        ap.beacon->add(snifferPacket->payload[35]);
 
-        //Serial.println("\nBeacon: ");
+        Serial.print("\nBeacon: ");
 
-        /*for (int i = 0; i < len; i++) {
+        for (int i = 0; i < ap.beacon->size(); i++) {
           char hexCar[4];
           sprintf(hexCar, "%02X", ap.beacon->get(i));
           Serial.print(hexCar);
@@ -1403,7 +1405,7 @@ void WiFiScan::apSnifferCallbackFull(void* buf, wifi_promiscuous_pkt_type_t type
             Serial.print("\n");
           else
             Serial.print(" ");
-        }*/
+        }
 
         access_points->add(ap);
 
@@ -1867,49 +1869,53 @@ void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_s
   if (custom_ssid.beacon->size() == 0)
     return;
 
-  uint8_t new_packet[custom_ssid.beacon->size()];
-
-  for (int i = 0; i < custom_ssid.beacon->size(); i++) {
-    new_packet[i] = custom_ssid.beacon->get(i);
-  }
 
   // Randomize SRC MAC
-  new_packet[10] = new_packet[16] = random(256);
-  new_packet[11] = new_packet[17] = random(256);
-  new_packet[12] = new_packet[18] = random(256);
-  new_packet[13] = new_packet[19] = random(256);
-  new_packet[14] = new_packet[20] = random(256);
-  new_packet[15] = new_packet[21] = random(256);
+  // Randomize SRC MAC
+  packet[10] = packet[16] = random(256);
+  packet[11] = packet[17] = random(256);
+  packet[12] = packet[18] = random(256);
+  packet[13] = packet[19] = random(256);
+  packet[14] = packet[20] = random(256);
+  packet[15] = packet[21] = random(256);
 
-  //char ESSID[custom_ssid.essid.length() + 1] = {};
-  //custom_ssid.essid.toCharArray(ESSID, custom_ssid.essid.length() + 1);
+  char ESSID[custom_ssid.essid.length() + 1] = {};
+  custom_ssid.essid.toCharArray(ESSID, custom_ssid.essid.length() + 1);
 
-  //int ssidLen = strlen(ESSID);
+  int realLen = strlen(ESSID);
+  int ssidLen = random(realLen, 33);
+  int numSpace = ssidLen - realLen;
   //int rand_len = sizeof(rand_reg);
-  //int fullLen = ssidLen;
-  //new_packet[37] = fullLen;
+  int fullLen = ssidLen;
+  packet[37] = fullLen;
 
   // Insert my tag
-  //for(int i = 0; i < ssidLen; i++)
-  //  new_packet[38 + i] = ESSID[i];
+  for(int i = 0; i < realLen; i++)
+    packet[38 + i] = ESSID[i];
+
+  for(int i = 0; i < numSpace; i++)
+    packet[38 + realLen + i] = 0x20;
 
   /////////////////////////////
   
-  //new_packet[50 + fullLen] = set_channel;
+  packet[50 + fullLen] = set_channel;
 
-  //uint8_t postSSID[13] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
-  //                    0x03, 0x01, 0x04 /*DSSS (Current Channel)*/ };
+  uint8_t postSSID[13] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
+                      0x03, 0x01, 0x04 /*DSSS (Current Channel)*/ };
 
 
 
   // Add everything that goes after the SSID
   //for(int i = 0; i < 12; i++) 
   //  packet[38 + fullLen + i] = postSSID[i];
+
+  packet[34] = custom_ssid.beacon->get(0);
+  packet[35] = custom_ssid.beacon->get(1);
   
 
-  esp_wifi_80211_tx(WIFI_IF_AP, new_packet, sizeof(new_packet), false);
-  esp_wifi_80211_tx(WIFI_IF_AP, new_packet, sizeof(new_packet), false);
-  esp_wifi_80211_tx(WIFI_IF_AP, new_packet, sizeof(new_packet), false);
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
+  esp_wifi_80211_tx(WIFI_IF_AP, packet, sizeof(packet), false);
 
   packets_sent = packets_sent + 3;
 }
@@ -2805,8 +2811,10 @@ void WiFiScan::main(uint32_t currentTime)
     }
   }
   else if ((currentScanMode == WIFI_ATTACK_AP_SPAM)) {
-    for (int i = 0; i < access_points->size(); i++)
-      this->broadcastCustomBeacon(currentTime, access_points->get(i));
+    for (int i = 0; i < access_points->size(); i++) {
+      if (access_points->get(i).selected)
+        this->broadcastCustomBeacon(currentTime, access_points->get(i));
+    }
 
     if (currentTime - initTime >= 1000) {
       initTime = millis();
diff --git a/esp32_marauder/configs.h b/esp32_marauder/configs.h
index 6821e3b..6118032 100644
--- a/esp32_marauder/configs.h
+++ b/esp32_marauder/configs.h
@@ -4,14 +4,14 @@
 
   #define POLISH_POTATO
   
-  //#define MARAUDER_MINI
+  #define MARAUDER_MINI
   //#define MARAUDER_V4
   //#define MARAUDER_V6
   //#define MARAUDER_KIT
   //#define GENERIC_ESP32
-  #define MARAUDER_FLIPPER
+  //#define MARAUDER_FLIPPER
 
-  #define MARAUDER_VERSION "v0.9.8"
+  #define MARAUDER_VERSION "v0.9.9"
 
   //// BUTTON DEFINITIONS
   #ifdef MARAUDER_MINI