alexandre/wifite2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

2.1.3: Better WPS attack messaging. Leave device in Monitor Mode.

Browse Source 
Unrelated to WPS:
* Do not take device out of monitor mode when finished (informs user)
* Do not restart NetworkManager when finished (informs user)

Changes to CLI switches:
* --wps-time X: Total time for WPS attack to complete
* --wps-timeouts X: Max number of timeouts before failing
* --wps-fails X: Max number of WPSFails before failing
* Removed unused WPS switches.
* Improved --help messaging for WPS switches.
* Fail/Timeout threshold default is 100

Bully now outputs useful information:
* Current PIN + status
* Time remaining
* Number of Timeout messages
* Number of "WPSFail" messages
* If AP is locked

Better reaver output.
* Looks more like Bully's output.
* Timer shows time remaining for attack.
* Mentions "Running pixiewps" during "M2 message" step.
* pixiewps failure looks like this: "Reaver says: 'WPS pin not found'"
* Counts Timeouts and "WPS Transaction Failure" (WPSFail)

For #28
This commit is contained in:
derv82
2018-04-07 06:22:16 -04:00
parent 20ea673a3d
commit 90c99b11f1
5 changed files with 420 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
wifite/tools/bully.py
View File

@@ -15,10 +15,10 @@ from threading import Thread
class Bully(Attack):
def __init__(self, target):
super(Bully, self).__init__(target)
self.consecutive_lockouts = self.consecutive_timeouts = self.consecutive_noassoc = 0
self.pins_attempted = 0
self.total_timeouts = 0
self.total_failures = 0
self.locked = False
self.state = "{O}Waiting for beacon{W}"
self.m_state = None
self.start_time = time.time()
self.cracked_pin = self.cracked_key = self.cracked_bssid = self.cracked_essid = None
@@ -46,8 +46,6 @@ class Bully(Attack):
self.bully_proc = None
def attack_type(self):
return "Pixie-Dust"
def run(self):
with Airodump(channel=self.target.channel,
@@ -55,11 +53,7 @@ class Bully(Attack):
skip_wps=True,
output_file_prefix='wps_pin') as airodump:
# Wait for target
Color.clear_entire_line()
Color.pattack("WPS",
self.target,
self.attack_type(),
"Waiting for target to appear...")
self.pattack("Waiting for target to appear...")
self.target = self.wait_for_target(airodump)
# Start bully
@@ -67,27 +61,42 @@ class Bully(Attack):
stderr=Process.devnull(),
bufsize=0,
cwd=Configuration.temp())
# Start bully status thread
t = Thread(target=self.parse_line_thread)
t.daemon = True
t.start()
try:
while self.bully_proc.poll() is None:
try:
self.target = self.wait_for_target(airodump)
except Exception as e:
Color.clear_entire_line()
Color.pattack("WPS",
self.target,
self.attack_type(),
"{R}failed: {O}%s{W}" % e)
Color.pl("")
self.pattack('{R}Failed: {O}%s{W}' % e, newline=True)
self.stop()
break
Color.clear_entire_line()
Color.pattack("WPS",
self.target,
self.attack_type(),
self.get_status())
# Update status
self.pattack(self.get_status())
# Check if entire attack timed out.
if self.running_time() > Configuration.wps_pixie_timeout:
self.pattack('{R}Failed: {O}Timeout after %d seconds{W}' % Configuration.wps_pixie_timeout, newline=True)
self.stop()
return
# Check if timeout threshold was breached
if self.total_timeouts >= Configuration.wps_timeout_threshold:
self.pattack('{R}Failed: {O}More than %d timeouts{W}' % Configuration.wps_timeout_threshold, newline=True)
self.stop()
return
# Check if WPSFail threshold was breached
if self.total_failures >= Configuration.wps_fail_threshold:
self.pattack('{R}Failed: {O}More than %d WPSFails{W}' % Configuration.wps_fail_threshold, newline=True)
self.stop()
return
time.sleep(0.5)
except KeyboardInterrupt as e:
self.stop()
@@ -97,111 +106,97 @@ class Bully(Attack):
raise e
if self.crack_result is None:
Color.clear_entire_line()
Color.pattack("WPS",
self.target,
self.attack_type(),
"{R}Failed{W}\n")
self.pattack("{R}Failed{W}", newline=True)
def pattack(self, message, newline=False):
# Print message with attack information.
time_left = Configuration.wps_pixie_timeout - self.running_time()
Color.clear_entire_line()
Color.pattack("WPS",
self.target,
'Pixie-Dust',
'{W}[{C}%s{W}] %s' % (Timer.secs_to_str(time_left), message))
if newline:
Color.pl("")
def running_time(self):
return int(time.time() - self.start_time)
def get_status(self):
result = self.state
result += " ({C}runtime:%s{W}" % Timer.secs_to_str(self.running_time())
result += " {G}tries:%d{W}" % self.pins_attempted
result += " {O}failures:%d{W}" % (self.consecutive_timeouts + self.consecutive_noassoc)
result += " {R}lockouts:%d{W}" % self.consecutive_lockouts
result += ")"
return result
main_status = self.state
meta_statuses = []
if self.total_timeouts > 0:
meta_statuses.append("{O}Timeouts:%d{W}" % self.total_timeouts)
if self.total_failures > 0:
meta_statuses.append("{O}WPSFail:%d{W}" % self.total_failures)
if self.locked:
meta_statuses.append("{R}Locked{W}")
if len(meta_statuses) > 0:
main_status += ' (%s)' % ', '.join(meta_statuses)
return main_status
def parse_line_thread(self):
for line in iter(self.bully_proc.pid.stdout.readline, b""):
if line == "": continue
line = line.replace("\r", "").replace("\n", "").strip()
if self.parse_line(line): break # Cracked
def parse_line(self, line):
# [+] Got beacon for 'Green House 5G' (30:85:a9:39:d2:1c)
got_beacon = re.search(r".*Got beacon for '(.*)' \((.*)\)", line)
if got_beacon:
# group(1)=ESSID, group(2)=BSSID
self.state = "Got beacon"
if Configuration.verbose > 1:
Color.pe('\n{P} [bully:stdout] %s' % line)
self.state = self.parse_state(line)
# [+] Last State = 'NoAssoc' Next pin '48855501'
last_state = re.search(r".*Last State = '(.*)'\s*Next pin '(.*)'", line)
if last_state:
# group(1)=result, group(2)=PIN
result = "Start" # last_state.group(1)
pin = last_state.group(2)
self.state = "Trying PIN:{C}%s{W}" % pin
self.crack_result = self.parse_crack_result(line)
# [+] Rx( M5 ) = 'Pin1Bad' Next pin '35565505'
# [+] Tx( Auth ) = 'Timeout' Next pin '80241263'
rx_m = re.search(r".*[RT]x\(\s*(.*)\s*\) = '(.*)'\s*Next pin '(.*)'", line)
if rx_m:
# group(1)=M3/M5, group(2)=result, group(3)=PIN
self.m_state = rx_m.group(1)
result = rx_m.group(2) # NoAssoc, WPSFail, Pin1Bad, Pin2Bad
if result in ["Pin1Bad", "Pin2Bad"]:
self.pins_attempted += 1
self.consecutive_lockouts = 0 # Reset lockout count
self.consecutive_timeouts = 0 # Reset timeout count
self.consecutive_noassoc = 0 # Reset timeout count
result = "{G}%s{W}" % result
elif result == "Timeout":
self.consecutive_timeouts += 1
result = "{O}%s{W}" % result
elif result == "NoAssoc":
self.consecutive_noassoc += 1
result = "{O}%s{W}" % result
else:
result = "{R}%s{W}" % result
pin = rx_m.group(3)
self.state = "Trying PIN:{C}%s{W} (%s)" % (pin, result)
# [!] WPS lockout reported, sleeping for 43 seconds ...
lock_out = re.search(r".*WPS lockout reported, sleeping for (\d+) seconds", line)
if lock_out:
sleeping = lock_out.group(1)
self.state = "{R}WPS Lock-out: {O}Waiting %s seconds{W}" % sleeping
self.consecutive_lockouts += 1
# [Pixie-Dust] WPS pin not found
pixie_re = re.search(r".*\[Pixie-Dust\] WPS pin not found", line)
if pixie_re:
self.state = "{R}Failed{W}"
if self.crack_result:
break
# [+] Running pixiewps with the information, wait ...
pixie_re = re.search(r".*Running pixiewps with the information", line)
if pixie_re:
self.state = "{G}Running pixiewps...{W}"
def parse_crack_result(self, line):
# Check for line containing PIN and PSK
# [*] Pin is '80246213', key is 'password'
# [*] Pin is '11867722', key is '9a6f7997'
pin_key_re = re.search(r"Pin is '(\d*)', key is '(.*)'", line)
if pin_key_re:
self.cracked_pin = pin_key_re.group(1)
self.cracked_key = pin_key_re.group(2)
# PIN : '80246213'
pin_re = re.search(r"^\s*PIN\s*:\s*'(.*)'\s*$", line)
if pin_re:
self.cracked_pin = pin_re.group(1)
###############
# Check for PIN
if self.cracked_pin is None:
# PIN : '80246213'
pin_re = re.search(r"^\s*PIN\s*:\s*'(.*)'\s*$", line)
if pin_re:
self.cracked_pin = pin_re.group(1)
# [Pixie-Dust] PIN FOUND: 01030365
pin_re = re.search(r"^\[Pixie-Dust\] PIN FOUND: '?(\d*)'?\s*$", line)
if pin_re:
self.cracked_pin = pin_re.group(1)
if self.cracked_pin is not None:
# Mention the PIN & that we're not done yet.
self.pattack("{G}Cracked PIN: {C}%s{W}" % self.cracked_pin, newline=True)
self.state = "{G}Finding PSK...{C}"
time.sleep(2)
###########################
# KEY : 'password'
key_re = re.search(r"^\s*KEY\s*:\s*'(.*)'\s*$", line)
if key_re:
self.cracked_key = key_re.group(1)
#warn_re = re.search(r"\[\!\]\s*(.*)$", line)
#if warn_re: self.state = "{O}%s{W}" % warn_re.group(1)
if not self.crack_result and self.cracked_pin and self.cracked_key:
Color.clear_entire_line()
Color.pattack("WPS", self.target, "Pixie-Dust", "{G}successfully cracked WPS PIN and PSK{W}")
Color.pl("")
self.pattack("{G}Cracked PSK: {C}%s{W}" % self.cracked_key, newline=True)
self.crack_result = CrackResultWPS(
self.target.bssid,
self.target.essid,
@@ -209,19 +204,81 @@ class Bully(Attack):
self.cracked_key)
Color.pl("")
self.crack_result.dump()
return True
else:
return False
return self.crack_result
def parse_state(self, line):
state = self.state
# [+] Got beacon for 'Green House 5G' (30:85:a9:39:d2:1c)
got_beacon = re.search(r".*Got beacon for '(.*)' \((.*)\)", line)
if got_beacon:
# group(1)=ESSID, group(2)=BSSID
state = "Got beacon"
# [+] Last State = 'NoAssoc' Next pin '48855501'
last_state = re.search(r".*Last State = '(.*)'\s*Next pin '(.*)'", line)
if last_state:
# group(1)=result, group(2)=PIN
pin = last_state.group(2)
state = "Trying PIN {C}%s{W} (%s)" % (pin, last_state.group(1))
# [+] Tx( Auth ) = 'Timeout' Next pin '80241263'
mx_result_pin = re.search(r".*[RT]x\(\s*(.*)\s*\) = '(.*)'\s*Next pin '(.*)'", line)
if mx_result_pin:
self.locked = False
# group(1)=M3/M5, group(2)=result, group(3)=PIN
m_state = mx_result_pin.group(1)
result = mx_result_pin.group(2) # NoAssoc, WPSFail, Pin1Bad, Pin2Bad
pin = mx_result_pin.group(3)
if result == "Timeout":
self.total_timeouts += 1
result = "{O}%s{W}" % result
elif result == "WPSFail":
self.total_failures += 1
result = "{O}%s{W}" % result
elif result == "NoAssoc":
result = "{O}%s{W}" % result
else:
result = "{R}%s{W}" % result
result = "{P}%s{W}:%s" % (m_state.strip(), result.strip())
state = "Trying PIN {C}%s{W} (%s)" % (pin, result)
# [!] WPS lockout reported, sleeping for 43 seconds ...
re_lockout = re.search(r".*WPS lockout reported, sleeping for (\d+) seconds", line)
if re_lockout:
self.locked = True
sleeping = re_lockout.group(1)
state = "{R}WPS Lock-out: {O}Waiting %s seconds{W}" % sleeping
# [Pixie-Dust] WPS pin not found
re_pin_not_found = re.search(r".*\[Pixie-Dust\] WPS pin not found", line)
if re_pin_not_found:
state = "{R}Failed: {O}Bully says 'WPS pin not found'{W}"
# [+] Running pixiewps with the information, wait ...
re_running_pixiewps = re.search(r".*Running pixiewps with the information", line)
if re_running_pixiewps:
state = "{G}Running pixiewps...{W}"
return state
def stop(self):
if hasattr(self, "pid") and self.pid and self.pid.poll() is None:
self.pid.interrupt()
def __del__(self):
self.stop()
@staticmethod
def get_psk_from_pin(target, pin):
# Fetches PSK from a Target assuming "pin" is the correct PIN
'''
bully --channel 1 --bssid 34:21:09:01:92:7C --pin 01030365 --bruteforce wlan0mon
PIN : '01030365'
@@ -229,8 +286,6 @@ class Bully(Attack):
BSSID : '34:21:09:01:92:7c'
ESSID : 'AirLink89300'
'''
Color.pl('\n{+} found PIN: {G}%s{W}' % pin)
Color.p('{+} fetching {C}PSK{W} using {C}bully{W}... ')
cmd = [
'bully',
'--channel', target.channel,
@@ -247,12 +302,11 @@ class Bully(Attack):
key_re = re.search(r"^\s*KEY\s*:\s*'(.*)'\s*$", line)
if key_re is not None:
psk = key_re.group(1)
Color.pl('{W}found PSK: {G}%s{W}' % psk)
return psk
Color.pl('{R}failed{W}')
return None
if __name__ == '__main__':
Configuration.initialize()
Configuration.interface = 'wlan0mon'