Added --nodeauths command, try to fix WEP replay attacks.
Aireplay can optionally NOT store the process output (via `devnull=False`). By-default, Aireplay attacks will not capture aireplay-ng output, to avoid deadlock when overloading the OS buffer (see #21).
This commit is contained in:
derv82
@@ -53,7 +53,7 @@ class WEPAttackType(object):
|
||||
|
||||
|
||||
class Aireplay(object):
|
||||
def __init__(self, target, attack_type, client_mac=None, replay_file=None):
|
||||
def __init__(self, target, attack_type, client_mac=None, replay_file=None, devnull=False):
|
||||
'''
|
||||
Starts aireplay process.
|
||||
Args:
|
||||
@@ -77,7 +77,7 @@ class Aireplay(object):
|
||||
'''
|
||||
|
||||
self.pid = Process(cmd,
|
||||
devnull=False,
|
||||
devnull=devnull,
|
||||
cwd=Configuration.temp())
|
||||
|
||||
def is_running(self):
|
||||
@@ -85,7 +85,7 @@ class Aireplay(object):
|
||||
|
||||
def stop(self):
|
||||
''' Stops aireplay process '''
|
||||
if self.pid and self.pid.poll() != None:
|
||||
if self.pid and self.pid.poll() == None:
|
||||
self.pid.interrupt()
|
||||
|
||||
def get_output(self):
|
||||
|
||||
@@ -146,7 +146,7 @@ class Airodump(object):
|
||||
Wash.check_for_wps_and_update_targets(capfile, targets)
|
||||
|
||||
# Filter targets based on encryption
|
||||
targets = Airodump.filter_targets(targets)
|
||||
targets = Airodump.filter_targets(targets, skip_wash=self.skip_wash)
|
||||
|
||||
# Sort by power
|
||||
targets.sort(key=lambda x: x.power, reverse=True)
|
||||
@@ -224,19 +224,18 @@ class Airodump(object):
|
||||
return targets
|
||||
|
||||
@staticmethod
|
||||
def filter_targets(targets):
|
||||
def filter_targets(targets, skip_wash=False):
|
||||
''' Filters targets based on Configuration '''
|
||||
result = []
|
||||
# Filter based on Encryption
|
||||
for target in targets:
|
||||
if 'WEP' in Configuration.encryption_filter and \
|
||||
'WEP' in target.encryption:
|
||||
if 'WEP' in Configuration.encryption_filter and 'WEP' in target.encryption:
|
||||
result.append(target)
|
||||
elif 'WPA' in Configuration.encryption_filter and \
|
||||
'WPA' in target.encryption:
|
||||
elif 'WPA' in Configuration.encryption_filter and 'WPA' in target.encryption:
|
||||
result.append(target)
|
||||
elif 'WPS' in Configuration.encryption_filter and \
|
||||
target.wps:
|
||||
elif 'WPS' in Configuration.encryption_filter and target.wps:
|
||||
result.append(target)
|
||||
elif skip_wash:
|
||||
result.append(target)
|
||||
|
||||
# Filter based on BSSID/ESSID
|
||||
@@ -259,7 +258,11 @@ class Airodump(object):
|
||||
targets (APs) that have unknown ESSIDs (hidden router names).
|
||||
'''
|
||||
self.decloaking = False
|
||||
# Only deauth if channel is fixed.
|
||||
|
||||
# Do not deauth if requested
|
||||
if Configuration.no_deauth: return
|
||||
|
||||
# Do not deauth if channel is not fixed.
|
||||
if self.channel is None: return
|
||||
|
||||
# Reusable deauth command
|
||||
|
||||
@@ -60,6 +60,10 @@ class Arguments(object):
|
||||
default=0,
|
||||
dest='verbose',
|
||||
help=Color.s('Verbose mode, prints more lines (default: {G}quiet{W})'))
|
||||
glob.add_argument('--nodeauths',
|
||||
action='store_true',
|
||||
dest='no_deauth',
|
||||
help=Color.s('Do not deauthenticate clients *EVER* (default: {G}off{W})'))
|
||||
|
||||
# WEP
|
||||
wep = parser.add_argument_group('WEP-RELATED')
|
||||
|
||||
@@ -68,6 +68,7 @@ class AttackWEP(Attack):
|
||||
aireplay = Aireplay(self.target, \
|
||||
wep_attack_type, \
|
||||
client_mac=client_mac, \
|
||||
devnull=True,
|
||||
replay_file=replay_file)
|
||||
|
||||
time_unchanged_ivs = time.time() # Timestamp when IVs last changed
|
||||
@@ -146,9 +147,8 @@ class AttackWEP(Attack):
|
||||
Color.pl('\n{!} {O}%s attack{R} did not generate' % attack_name +
|
||||
' a .xor file{W}')
|
||||
# XXX: For debugging
|
||||
Color.pl('\noutput:\n')
|
||||
Color.pl(aireplay.get_output())
|
||||
Color.pl('')
|
||||
Color.pl('{?} {O}Command: {R}%s{W}' % aireplay.cmd)
|
||||
Color.pl('{?} {O}Output:\n{R}%s{W}' % aireplay.get_output())
|
||||
break
|
||||
|
||||
# If .xor exists, run packetforge-ng to create .cap
|
||||
@@ -172,8 +172,8 @@ class AttackWEP(Attack):
|
||||
break
|
||||
else:
|
||||
Color.pl('\n{!} {O}aireplay-ng exited unexpectedly{W}')
|
||||
Color.pl('\naireplay.get_output():')
|
||||
Color.pl(aireplay.get_output())
|
||||
Color.pl('{?} {O}Command: {R}%s{W}' % aireplay.cmd)
|
||||
Color.pl('{?} {O}Output:\n%s{W}' % aireplay.get_output())
|
||||
break # Continue to other attacks
|
||||
|
||||
# Check if IVs stopped flowing (same for > N seconds)
|
||||
@@ -189,9 +189,12 @@ class AttackWEP(Attack):
|
||||
Color.pl('\n{!} restarting {C}aireplay{W} after' +
|
||||
' {C}%d{W} seconds of no new IVs'
|
||||
% stale_seconds)
|
||||
Color.pl("\naireplay output:\n%s" % aireplay.get_output())
|
||||
aireplay = Aireplay(self.target, \
|
||||
wep_attack_type, \
|
||||
client_mac=client_mac)
|
||||
client_mac=client_mac, \
|
||||
devnull=True,
|
||||
replay_file=replay_file)
|
||||
time_unchanged_ivs = time.time()
|
||||
previous_ivs = airodump_target.ivs
|
||||
|
||||
|
||||
@@ -34,6 +34,7 @@ class AttackWPA(Attack):
|
||||
# First, start Airodump process
|
||||
with Airodump(channel=self.target.channel,
|
||||
target_bssid=self.target.bssid,
|
||||
skip_wash=True,
|
||||
output_file_prefix='wpa') as airodump:
|
||||
|
||||
Color.clear_entire_line()
|
||||
@@ -216,7 +217,8 @@ class AttackWPA(Attack):
|
||||
station_bssid - Client BSSID to deauth
|
||||
Deauths 'broadcast' if no client is specified.
|
||||
'''
|
||||
# TODO: Print that we are deauthing and who we are deauthing!
|
||||
if Configuration.no_deauth: return
|
||||
|
||||
target_name = station_bssid
|
||||
if target_name == None:
|
||||
target_name = 'broadcast'
|
||||
|
||||
@@ -77,7 +77,7 @@ class AttackWPS(Attack):
|
||||
|
||||
with Airodump(channel=self.target.channel,
|
||||
target_bssid=self.target.bssid,
|
||||
skip_wash=False,
|
||||
skip_wash=True,
|
||||
output_file_prefix='pixie') as airodump:
|
||||
|
||||
Color.clear_line()
|
||||
@@ -214,7 +214,7 @@ class AttackWPS(Attack):
|
||||
|
||||
with Airodump(channel=self.target.channel,
|
||||
target_bssid=self.target.bssid,
|
||||
skip_wash=False,
|
||||
skip_wash=True,
|
||||
output_file_prefix='wps') as airodump:
|
||||
|
||||
Color.clear_line()
|
||||
|
||||
@@ -21,7 +21,8 @@ class Color(object):
|
||||
# Helper string replacements
|
||||
replacements = {
|
||||
'{+}': ' {W}[{G}+{W}]',
|
||||
'{!}': ' {O}[{R}!{O}]{W}'
|
||||
'{!}': ' {O}[{R}!{O}]{W}',
|
||||
'{?}': ' {W}[{C}?{W}]'
|
||||
}
|
||||
|
||||
last_sameline_length = 0
|
||||
|
||||
@@ -36,6 +36,7 @@ class Configuration(object):
|
||||
Configuration.five_ghz = False # Scan 5Ghz channels
|
||||
Configuration.pillage = False # "All" mode to attack everything
|
||||
Configuration.random_mac = False
|
||||
Configuration.no_deauth = False # Deauth hidden networks & WPA handshake targets
|
||||
|
||||
Configuration.encryption_filter = ['WEP', 'WPA', 'WPS']
|
||||
|
||||
@@ -127,6 +128,9 @@ class Configuration(object):
|
||||
if args.five_ghz == True:
|
||||
Configuration.five_ghz = True
|
||||
Color.pl('{+} {C}option:{W} including {G}5Ghz networks{W} in scans')
|
||||
if args.no_deauth == True:
|
||||
Configuration.no_deauth = True
|
||||
Color.pl('{+} {C}option:{W} will {R}not{W} {O}deauth{W} clients during scans or captures')
|
||||
if args.target_essid:
|
||||
Configuration.target_essid = args.target_essid
|
||||
Color.pl('{+} {C}option:{W} targeting ESSID {G}%s{W}' % args.target_essid)
|
||||
|
||||
Reference in New Issue
Block a user