alexandre/wifite2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Lots of fixes.

Browse Source 
1. WEP attack gracefully handles ctrl+c
2. Very verbose (-vv) prints out commands and output
3. Doesn't fetch WPS info when attacking WEP
This commit is contained in:
derv82
2016-01-04 18:20:25 -05:00
parent c5ffac75c5
commit 3847f2c5c9
10 changed files with 242 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
py/Aireplay.py
View File

@@ -122,7 +122,7 @@ class Aireplay(object):
if attack_type == WEPAttackType.fakeauth: if attack_type == WEPAttackType.fakeauth:
cmd.extend(['-1', '0']) # Fake auth, no delay cmd.extend(['-1', '0']) # Fake auth, no delay
cmd.extend(['-a', target.bssid]) cmd.extend(['-a', target.bssid])
cmd.extend(['-T', '1']) # Make 1 attemp cmd.extend(['-T', '3']) # Make 3 attempts
if target.essid_known: if target.essid_known:
cmd.extend(['-e', target.essid]) cmd.extend(['-e', target.essid])
# Do not specify client MAC address, # Do not specify client MAC address,

14
py/Airodump.py
View File

@@ -13,7 +13,7 @@ class Airodump(object):
def __init__(self, interface=None, channel=None, encryption=None,\ def __init__(self, interface=None, channel=None, encryption=None,\
wps=False, target_bssid=None, output_file_prefix='airodump',\ wps=False, target_bssid=None, output_file_prefix='airodump',\
ivs_only=False): ivs_only=False, skip_wash=False):
''' '''
Sets up airodump arguments, doesn't start process yet Sets up airodump arguments, doesn't start process yet
''' '''
@@ -39,6 +39,7 @@ class Airodump(object):
self.target_bssid = target_bssid self.target_bssid = target_bssid
self.output_file_prefix = output_file_prefix self.output_file_prefix = output_file_prefix
self.ivs_only = ivs_only self.ivs_only = ivs_only
self.skip_wash = skip_wash
def __enter__(self): def __enter__(self):
@@ -133,8 +134,9 @@ class Airodump(object):
targets = Airodump.get_targets_from_csv(csv_filename) targets = Airodump.get_targets_from_csv(csv_filename)
# Check targets for WPS # Check targets for WPS
capfile = csv_filename[:-3] + 'cap' if not self.skip_wash:
Wash.check_for_wps_and_update_targets(capfile, targets) capfile = csv_filename[:-3] + 'cap'
Wash.check_for_wps_and_update_targets(capfile, targets)
# Filter targets based on encryption # Filter targets based on encryption
targets = Airodump.filter_targets(targets) targets = Airodump.filter_targets(targets)
@@ -175,7 +177,11 @@ class Airodump(object):
if hit_clients: if hit_clients:
# The current row corresponds to a "Client" (computer) # The current row corresponds to a "Client" (computer)
client = Client(row) try:
client = Client(row)
except IndexError:
# Skip if we can't parse the client row
continue
if 'not associated' in client.bssid: if 'not associated' in client.bssid:
# Ignore unassociated clients # Ignore unassociated clients

4
py/Arguments.py
View File

@@ -212,8 +212,8 @@ class Arguments(object):
% Configuration.wps_timeout_threshold) % Configuration.wps_timeout_threshold)
wps.add_argument('--ignore-ratelimit', wps.add_argument('--ignore-ratelimit',
action='store_false', action='store_false',
dest='wps_ignore_rate_limit', dest='wps_skip_rate_limit',
help=Color.s('Continues attack if WPS is rate-limited (default: {G}off{W})')) help=Color.s('Ignores attack if WPS is rate-limited (default: {G}on{W})'))
# Commands # Commands
commands = parser.add_argument_group('COMMANDS') commands = parser.add_argument_group('COMMANDS')

316
py/AttackWEP.py
View File

@@ -29,175 +29,201 @@ class AttackWEP(Attack):
Including airodump-ng starting, cracking, etc. Including airodump-ng starting, cracking, etc.
Returns: True if attack is succesful, false otherwise Returns: True if attack is succesful, false otherwise
''' '''
# First, start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
ivs_only=True, # Only capture IVs packets
output_file_prefix='wep') as airodump:
Color.clear_line() aircrack = None # Aircrack process, not started yet
Color.p('\r{+} {O}waiting{W} for target to appear...')
airodump_target = self.wait_for_target(airodump)
if self.fake_auth(): for (attack_index, attack_name) in enumerate(Configuration.wep_attacks):
# We successfully authenticated! # BIG try-catch to capture ctrl+c
# Use our interface's MAC address for the attacks. try:
client_mac = Interface.get_mac() # Start Airodump process
elif len(airodump_target.clients) == 0: with Airodump(channel=self.target.channel,
# There are no associated clients. Warn user. target_bssid=self.target.bssid,
Color.pl('{!} {O}there are no associated clients{W}') ivs_only=True, # Only capture IVs packets
Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' + skip_wash=True, # Don't check for WPS-compatibility
' without fake-authentication or associated clients{W}') output_file_prefix='wep') as airodump:
client_mac = None
else:
client_mac = airodump_target.clients[0].station
aircrack = None # Aircrack process, not started yet Color.clear_line()
Color.p('\r{+} {O}waiting{W} for target to appear...')
for attack_name in Configuration.wep_attacks:
# Convert to WEPAttackType.
wep_attack_type = WEPAttackType(attack_name)
replay_file = None
# Start Aireplay process.
aireplay = Aireplay(self.target, \
wep_attack_type, \
client_mac=client_mac, \
replay_file=replay_file)
time_unchanged_ivs = time.time() # Timestamp when IVs last changed
previous_ivs = 0
# Loop until attack completes.
while True:
airodump_target = self.wait_for_target(airodump) airodump_target = self.wait_for_target(airodump)
Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
% (attack_name, airodump_target.ivs))
# Check if we cracked it. if self.fake_auth():
if aircrack and aircrack.is_cracked(): # We successfully authenticated!
(hex_key, ascii_key) = aircrack.get_key_hex_ascii() # Use our interface's MAC address for the attacks.
bssid = airodump_target.bssid client_mac = Interface.get_mac()
if airodump_target.essid_known: elif len(airodump_target.clients) == 0:
essid = airodump_target.essid # There are no associated clients. Warn user.
else: Color.pl('{!} {O}there are no associated clients{W}')
essid = None Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' +
Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n' ' without fake-authentication or associated clients{W}')
% attack_name) client_mac = None
if aireplay: else:
aireplay.stop() client_mac = airodump_target.clients[0].station
self.crack_result = CrackResultWEP(bssid, \
essid, \
hex_key, \
ascii_key)
self.crack_result.dump()
self.success = True
return self.success
if aircrack and aircrack.is_running(): # Convert to WEPAttackType.
# Aircrack is running in the background. wep_attack_type = WEPAttackType(attack_name)
Color.p('and {C}cracking{W}')
# Check number of IVs, crack if necessary replay_file = None
if airodump_target.ivs > Configuration.wep_crack_at_ivs: # Start Aireplay process.
if not aircrack: aireplay = Aireplay(self.target, \
# Aircrack hasn't started yet. Start it. wep_attack_type, \
ivs_file = airodump.find_files(endswith='.ivs')[0] client_mac=client_mac, \
aircrack = Aircrack(ivs_file) replay_file=replay_file)
elif not aircrack.is_running(): time_unchanged_ivs = time.time() # Timestamp when IVs last changed
# Aircrack stopped running. previous_ivs = 0
Color.pl('\n{!} {O}aircrack stopped running!{W}')
ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('{+} {C}aircrack{W} stopped,' +
' restarting {C}aircrack{W}')
aircrack = Aircrack(ivs_file)
elif aircrack.is_running() and \ # Loop until attack completes.
Configuration.wep_restart_aircrack > 0:
# Restart aircrack after X seconds while True:
if aircrack.pid.running_time() > Configuration.wep_restart_aircrack: airodump_target = self.wait_for_target(airodump)
aircrack.stop() Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
% (attack_name, airodump_target.ivs))
# Check if we cracked it.
if aircrack and aircrack.is_cracked():
(hex_key, ascii_key) = aircrack.get_key_hex_ascii()
bssid = airodump_target.bssid
if airodump_target.essid_known:
essid = airodump_target.essid
else:
essid = None
Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
% attack_name)
if aireplay:
aireplay.stop()
self.crack_result = CrackResultWEP(bssid, \
essid, \
hex_key, \
ascii_key)
self.crack_result.dump()
self.success = True
return self.success
if aircrack and aircrack.is_running():
# Aircrack is running in the background.
Color.p('and {C}cracking{W}')
# Check number of IVs, crack if necessary
if airodump_target.ivs > Configuration.wep_crack_at_ivs:
if not aircrack:
# Aircrack hasn't started yet. Start it.
ivs_file = airodump.find_files(endswith='.ivs')[0] ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('\n{+} {C}aircrack{W} ran for more than' +
' {C}%d{W} seconds, restarting'
% Configuration.wep_restart_aircrack)
aircrack = Aircrack(ivs_file) aircrack = Aircrack(ivs_file)
elif not aircrack.is_running():
# Aircrack stopped running.
Color.pl('\n{!} {O}aircrack stopped running!{W}')
ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('{+} {C}aircrack{W} stopped,' +
' restarting {C}aircrack{W}')
aircrack = Aircrack(ivs_file)
if not aireplay.is_running(): elif aircrack.is_running() and \
# Some Aireplay attacks loop infinitely Configuration.wep_restart_aircrack > 0:
if attack_name == 'chopchop' or attack_name == 'fragment': # Restart aircrack after X seconds
# We expect these to stop once a .xor is created, if aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
# or if the process failed. aircrack.stop()
ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('\n{+} {C}aircrack{W} ran for more than' +
' {C}%d{W} seconds, restarting'
% Configuration.wep_restart_aircrack)
aircrack = Aircrack(ivs_file)
replay_file = None
# Check for .xor file. if not aireplay.is_running():
xor_file = Aireplay.get_xor() # Some Aireplay attacks loop infinitely
if not xor_file: if attack_name == 'chopchop' or attack_name == 'fragment':
# If .xor is not there, the process failed. # We expect these to stop once a .xor is created,
Color.pl('\n{!} {O}%s attack{R} did not generate' + # or if the process failed.
' a .xor file{W}' % attack_name)
# XXX: For debugging
Color.pl('\noutput:\n')
Color.pl(aireplay.get_output())
Color.pl('')
break
# If .xor exists, run packetforge-ng to create .cap replay_file = None
Color.pl('\n{+} {C}%s attack{W}' % attack_name +
' generated a {C}.xor file{W}, {G}forging...{W}') # Check for .xor file.
forge_file = Aireplay.forge_packet(xor_file, xor_file = Aireplay.get_xor()
airodump_target.bssid, if not xor_file:
client_mac) # If .xor is not there, the process failed.
if forge_file: Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name +
replay_file = forge_file ' a .xor file{W}')
Color.pl('{+} {C}forged packet{W},' + # XXX: For debugging
' {G}replaying...{W}') Color.pl('\noutput:\n')
attack_name = 'forged arp replay' Color.pl(aireplay.get_output())
aireplay = Aireplay(self.target, \ Color.pl('')
'forgedreplay', \ break
client_mac=client_mac, \
replay_file=replay_file) # If .xor exists, run packetforge-ng to create .cap
continue Color.pl('\n{+} {C}%s attack{W}' % attack_name +
' generated a {C}.xor file{W}, {G}forging...{W}')
forge_file = Aireplay.forge_packet(xor_file,
airodump_target.bssid,
client_mac)
if forge_file:
replay_file = forge_file
Color.pl('{+} {C}forged packet{W},' +
' {G}replaying...{W}')
attack_name = 'forged arp replay'
aireplay = Aireplay(self.target, \
'forgedreplay', \
client_mac=client_mac, \
replay_file=replay_file)
continue
else:
# Failed to forge packet. drop out
break
else: else:
# Failed to forge packet. drop out Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
break Color.pl('\naireplay.get_output():')
else: Color.pl(aireplay.get_output())
Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}') break # Continue to other attacks
Color.pl('\naireplay.get_output():')
Color.pl(aireplay.get_output())
break # Continue to other attacks
# Check if IVs stopped flowing (same for > N seconds) # Check if IVs stopped flowing (same for > N seconds)
if airodump_target.ivs > previous_ivs: if airodump_target.ivs > previous_ivs:
time_unchanged_ivs = time.time()
elif Configuration.wep_restart_stale_ivs > 0 and \
attack_name != 'chopchop' and \
attack_name != 'fragment':
stale_seconds = time.time() - time_unchanged_ivs
if stale_seconds > Configuration.wep_restart_stale_ivs:
# No new IVs within threshold, restart aireplay
aireplay.stop()
Color.pl('\n{!} restarting {C}aireplay{W} after' +
' {C}%d{W} seconds of no new IVs'
% stale_seconds)
aireplay = Aireplay(self.target, \
wep_attack_type, \
client_mac=client_mac)
time_unchanged_ivs = time.time() time_unchanged_ivs = time.time()
previous_ivs = airodump_target.ivs elif Configuration.wep_restart_stale_ivs > 0 and \
attack_name != 'chopchop' and \
attack_name != 'fragment':
stale_seconds = time.time() - time_unchanged_ivs
if stale_seconds > Configuration.wep_restart_stale_ivs:
# No new IVs within threshold, restart aireplay
aireplay.stop()
Color.pl('\n{!} restarting {C}aireplay{W} after' +
' {C}%d{W} seconds of no new IVs'
% stale_seconds)
aireplay = Aireplay(self.target, \
wep_attack_type, \
client_mac=client_mac)
time_unchanged_ivs = time.time()
previous_ivs = airodump_target.ivs
time.sleep(1) time.sleep(1)
continue continue
# End of big while loop # End of big while loop
# End of for-each-attack-type loop # End of with-airodump
# End of with-airodump except KeyboardInterrupt:
if not self.user_wants_to_continue(attack_index):
self.success = False
return self.success
# End of big try-catch
# End of for-each-attack-type loop
self.success = False self.success = False
return self.success return self.success
def user_wants_to_continue(self, attack_index):
''' Asks user if attacks should continue using remaining methods '''
Color.pl('\n{!} {O}interrupted{W}\n')
if attack_index + 1 >= len(Configuration.wep_attacks):
# No more WEP attacks to perform.
return False
attacks_remaining = Configuration.wep_attacks[attack_index + 1:]
Color.pl("{+} {G}%d{W} attacks remain ({C}%s{W})" % (len(attacks_remaining), ', '.join(attacks_remaining)))
prompt = Color.s('{+} type {G}c{W} to {G}continue{W}' +
' or {R}s{W} to {R}stop{W}: ')
if raw_input(prompt).lower().startswith('s'):
return False
else:
return True
def fake_auth(self): def fake_auth(self):
''' '''

1
py/AttackWPA.py
View File

@@ -33,6 +33,7 @@ class AttackWPA(Attack):
# First, start Airodump process # First, start Airodump process
with Airodump(channel=self.target.channel, with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid, target_bssid=self.target.bssid,
skip_wash=True,
output_file_prefix='wpa') as airodump: output_file_prefix='wpa') as airodump:
Color.clear_line() Color.clear_line()

11
py/AttackWPS.py
View File

@@ -124,11 +124,8 @@ class AttackWPS(Attack):
elif 'Detected AP rate limiting,' in stdout_last_line: elif 'Detected AP rate limiting,' in stdout_last_line:
if Configuration.wps_skip_rate_limit: if Configuration.wps_skip_rate_limit:
Color.pl('{R}failed: {O}hit WPS rate-limit{W}') Color.pl('{R}failed: {O}hit WPS rate-limit{W}')
# TODO: Argument for --ignore-rate-limit Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' +
''' ' this kind of failure in the future{W}')
Color.pl('{!} {O}use {R}--ignore-rate-limit{O} to ignore' +
' this kind of failure in the future')
'''
break break
step = '({C}step -/8{W}) waiting for AP rate limit' step = '({C}step -/8{W}) waiting for AP rate limit'
@@ -261,9 +258,11 @@ class AttackWPS(Attack):
if 'Detected AP rate limiting' in out: if 'Detected AP rate limiting' in out:
state = '{R}rate-limited{W}' state = '{R}rate-limited{W}'
if not Configuration.wps_skip_rate_limit: if Configuration.wps_skip_rate_limit:
Color.pl(state) Color.pl(state)
Color.pl('{!} {R}hit rate limit, stopping{W}\n') Color.pl('{!} {R}hit rate limit, stopping{W}\n')
Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' +
' this kind of failure in the future{W}')
break break
if 'WARNING: Failed to associate with' in out: if 'WARNING: Failed to associate with' in out:

8
py/Color.py
View File

@@ -48,6 +48,14 @@ class Color(object):
Color.p('%s\n' % text) Color.p('%s\n' % text)
Color.last_sameline_length = 0 Color.last_sameline_length = 0
@staticmethod
def pe(text):
'''
Prints text using colored format with leading and trailing new line to STDERR.
'''
sys.stderr.write(Color.s('%s\n' % text))
Color.last_sameline_length = 0
@staticmethod @staticmethod
def s(text): def s(text):
''' Returns colored string ''' ''' Returns colored string '''

2
py/Configuration.py
View File

@@ -193,7 +193,7 @@ class Configuration(object):
if args.wps_timeout_threshold: if args.wps_timeout_threshold:
Configuration.wps_timeout_threshold = args.wps_timeout_threshold Configuration.wps_timeout_threshold = args.wps_timeout_threshold
Color.pl('{+} {C}option:{W} will stop WPS attack after {G}%d timeouts{W}' % args.wps_timeout_threshold) Color.pl('{+} {C}option:{W} will stop WPS attack after {G}%d timeouts{W}' % args.wps_timeout_threshold)
if args.wps_ignore_rate_limit == False: if args.wps_skip_rate_limit == False:
Configuration.wps_skip_rate_limit = False Configuration.wps_skip_rate_limit = False
Color.pl('{+} {C}option:{W} will {G}continue{W} WPS attacks when rate-limited') Color.pl('{+} {C}option:{W} will {G}continue{W} WPS attacks when rate-limited')

33
py/Process.py
View File

@@ -1,5 +1,8 @@
#!/usr/bin/python #!/usr/bin/python
from Configuration import Configuration
from Color import Color
from subprocess import Popen, call, PIPE from subprocess import Popen, call, PIPE
import time import time
@@ -20,20 +23,35 @@ class Process(object):
''' '''
if type(command) != str or ' ' in command or shell: if type(command) != str or ' ' in command or shell:
shell = True shell = True
if Configuration.verbose > 1:
Color.pe("\n {C}[?] {W} Executing (Shell): {B}%s{W}" % command)
else: else:
shell = False shell = False
if Configuration.verbose > 1:
Color.pe("\n {C}[?]{W} Executing: {B}%s{W}" % command)
pid = Popen(command, cwd=cwd, stdout=PIPE, stderr=PIPE, shell=shell) pid = Popen(command, cwd=cwd, stdout=PIPE, stderr=PIPE, shell=shell)
pid.wait() pid.wait()
return pid.communicate() (stdout, stderr) = pid.communicate()
if Configuration.verbose > 1 and stdout.strip() != '':
Color.pe("{P} [stdout] %s{W}" % '\n [stdout] '.join(stdout.split('\n')))
if Configuration.verbose > 1 and stderr.strip() != '':
Color.pe("{P} [stderr] %s{W}" % '\n [stderr] '.join(stderr.split('\n')))
return (stdout, stderr)
@staticmethod @staticmethod
def exists(program): def exists(program):
''' Checks if program is installed on this system ''' ''' Checks if program is installed on this system '''
p = Process(['which', program]) p = Process(['which', program])
if p.stdout().strip() == '' and p.stderr().strip() == '': stdout = p.stdout().strip()
return False stderr = p.stderr().strip()
return True
if stdout == '' and err == '':
return False
return True
def __init__(self, command, devnull=False, stdout=PIPE, stderr=PIPE, cwd=None): def __init__(self, command, devnull=False, stdout=PIPE, stderr=PIPE, cwd=None):
''' Starts executing command ''' ''' Starts executing command '''
@@ -44,6 +62,9 @@ class Process(object):
self.command = command self.command = command
if Configuration.verbose > 1:
Color.pe("\n {C}[?] {W} Executing: {B}%s{W}" % ' '.join(command))
self.out = None self.out = None
self.err = None self.err = None
if devnull: if devnull:
@@ -68,11 +89,15 @@ class Process(object):
def stdout(self): def stdout(self):
''' Waits for process to finish, returns stdout output ''' ''' Waits for process to finish, returns stdout output '''
self.get_output() self.get_output()
if Configuration.verbose > 1 and self.out.strip() != '':
Color.pe("{P} [stdout] %s{W}" % '\n [stdout] '.join(self.out.split('\n')))
return self.out return self.out
def stderr(self): def stderr(self):
''' Waits for process to finish, returns stderr output ''' ''' Waits for process to finish, returns stderr output '''
self.get_output() self.get_output()
if Configuration.verbose > 1 and self.err.strip() != '':
Color.pe("{P} [stderr] %s{W}" % '\n [stderr] '.join(self.err.split('\n')))
return self.err return self.err
def get_output(self): def get_output(self):

26
py/Scanner.py
View File

@@ -93,18 +93,20 @@ class Scanner(object):
if self.previous_target_count > 0: if self.previous_target_count > 0:
# We need to "overwrite" the previous list of targets. # We need to "overwrite" the previous list of targets.
if self.previous_target_count > len(self.targets) or \ if Configuration.verbose <= 1:
Scanner.get_terminal_height() < self.previous_target_count + 3: # Don't clear screen buffer in verbose mode.
# Either: if self.previous_target_count > len(self.targets) or \
# 1) We have less targets than before, so we can't overwrite the previous list Scanner.get_terminal_height() < self.previous_target_count + 3:
# 2) The terminal can't display the targets without scrolling. # Either:
# Clear the screen. # 1) We have less targets than before, so we can't overwrite the previous list
from Process import Process # 2) The terminal can't display the targets without scrolling.
Process.call('clear') # Clear the screen.
else: from Process import Process
# We can fit the targets in the terminal without scrolling Process.call('clear')
# "Move" cursor up so we will print over the previous list else:
Color.pl(Scanner.UP_CHAR * (3 + self.previous_target_count)) # We can fit the targets in the terminal without scrolling
# "Move" cursor up so we will print over the previous list
Color.pl(Scanner.UP_CHAR * (3 + self.previous_target_count))
self.previous_target_count = len(self.targets) self.previous_target_count = len(self.targets)