.gitignore hs/ directory
Braindump into TODO file
This commit is contained in:
derv82
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,5 +1,6 @@
|
||||
*.swp
|
||||
*.pyc
|
||||
py/hs/
|
||||
hs/
|
||||
*.bak
|
||||
.idea/
|
||||
|
||||
228
TODO.md
Normal file
228
TODO.md
Normal file
@@ -0,0 +1,228 @@
|
||||
Braindump of ideas to improve Wifite2 (or for Wifite3)
|
||||
|
||||
### Directory structure
|
||||
|
||||
Too modular in some places, not modular enough in others.
|
||||
|
||||
Not "/py":
|
||||
|
||||
* aircrack/aircrack.py <- process
|
||||
* aircrack/airmon.py <- process
|
||||
* aircrack/airodump.py <- process
|
||||
* aircrack/aireplay.py <- process
|
||||
* attack/decloak.py <- aireplay, airodump
|
||||
* attack/wep.py (relay, chopchop, etc) <- aireplay, airodump
|
||||
* attack/wpa.py (capture handshake only) <- aireplay, airodump
|
||||
* attack/wps-pixie.py <- reaver
|
||||
* attack/wps-pin.py
|
||||
* config.py
|
||||
* crack/crackwep.py <- target, result, aireplay, aircrack
|
||||
* crack/crackwpa.py <- target, handshake, result, aircrack
|
||||
* handshake/tshark.py <- process
|
||||
* handshake/cowpatty.py <- process
|
||||
* handshake/pyrit.py <- process
|
||||
* output.py (color/printing) <- config
|
||||
* process.py <- config
|
||||
* scan/scan.py (airodump output to target) <- config, target, airodump
|
||||
* target/target.py (ssid, pcap file) <- airodump, tshark
|
||||
* target/result.py (PIN/PSK/KEY)
|
||||
* target/handshake.py <- tshark, cowpatty, pyrit, aircrack
|
||||
|
||||
------------------------------------------------------
|
||||
|
||||
### Dependency injection
|
||||
|
||||
* Initialize each dependency at startup or when first possible.
|
||||
* Pass dependencies to modules that require them.
|
||||
* Modules that call aircrack expect aircrack.py
|
||||
* Modules that print expect output.py
|
||||
* Unit test using mocked dependencies.
|
||||
|
||||
------------------------------------------------------
|
||||
|
||||
### WPS detection
|
||||
|
||||
WASH
|
||||
* Wash does not seem to detect APs when given a .cap file
|
||||
* Wash can scan, but is slow and does not provide as much info as airodump
|
||||
* We could run Wash as a daemon on the same channel as airodump...
|
||||
* Channel-hopping might interfere with each-other?
|
||||
* Could we tell wash to channel hop & tell airodump-ng to not channelhop? Vice versa?
|
||||
|
||||
AIRODUMP
|
||||
* Airodump-ng detects WPS, but does not output to CSV
|
||||
* Airodump-ng WPS detection requires parsing airodump's STDOUT
|
||||
|
||||
TSHARK
|
||||
* DIY: Extract Beacon frames from the .cap file with WPS flags...
|
||||
* `tshark -r f.cap -R "wps.primary_device_type.category == 6" -n -2`
|
||||
|
||||
------------------------------------------------------
|
||||
|
||||
### Backwards Compatibility
|
||||
|
||||
* WIFITE: needs command-line parity with older versions (or does it?)
|
||||
* AIRODUMP: --output-format, --wps, and other flags are newer
|
||||
* WASH: Broken? can we use AIRODUMP or something else?
|
||||
|
||||
------------------------------------------------------
|
||||
|
||||
### Dependencies
|
||||
|
||||
AIRMON
|
||||
* Detect interfaces in monitor mode.
|
||||
* Check if config interface name is found.
|
||||
* Enable or Disable monitor mode on a device.
|
||||
|
||||
AIRODUMP
|
||||
* Run as daemon (background thread)
|
||||
* Accept flags as input (--ivs, --wps, etc)
|
||||
* Construct a Target for all found APs
|
||||
* Each Target includes list of associated Clients
|
||||
* Can parse CSV to find lines with APs and lines with Clients
|
||||
* Option to read from 1) Stdout, or 2) a CapFile
|
||||
* Identify Target's attributes: ESSID, BSSID, AUTH
|
||||
* Identify cloaked Targets (ESSID=null)
|
||||
* Return filtered list of Targets based on AUTH, ESSID, BSSID
|
||||
* XXX: Reading STDOUT might not match what's in the Cap file...
|
||||
* XXX: But STDOUT gives us WPS and avoids WASH...
|
||||
|
||||
TARGET
|
||||
* Constructed via passed-in CSV (airodump-ng --output-format=csv)
|
||||
* Needs info on the current AP (1 line) and ALL clients (n lines)
|
||||
* Keep track of BSSID, ESSID, Channel, AUTH, other attrs
|
||||
* Construct Clients of target
|
||||
* Start & return an Airodump Daemon (e.g. WEP needs --ivs flag)
|
||||
|
||||
AIREPLAY
|
||||
* Fakeauth
|
||||
* (Daemon) Start fakeauth process
|
||||
* Detect fakeauth status
|
||||
* End fakeauth process
|
||||
* Deauth
|
||||
* Call aireplay-ng to deauth a Client BSSID+ESSID
|
||||
* Return status of deauth
|
||||
* Chopchop & Fragment
|
||||
1. (Daemon) Start aireplay-ng --chopchop on Target
|
||||
2. LOOP
|
||||
1. Detect chopchop status (.xor or EXCEPTION)
|
||||
2. If .xor is created:
|
||||
* Call packetforge-ng to forge cap
|
||||
* Arpreplay on forged cap
|
||||
3. If running time > threshold, EXCEPTION
|
||||
* Arpreplay
|
||||
1. (Daemon) Start aireplay-ng to replay given capfile
|
||||
2. Detect status of replay (# of packets)
|
||||
3. If running time > threshold and/or packet velocity < threshold, EXCEPTION
|
||||
|
||||
AIRCRACK
|
||||
* Start aircrack-ng for WEP: Needs pcap file with IVS
|
||||
* Start aircrack-ng for WPA: Needs pcap file containig Handshake
|
||||
* Check status of aircrack-ng (`percenage`, `keys_tried`)
|
||||
* Return cracked key
|
||||
|
||||
CONFIG
|
||||
* Key/value stores: 1) defaults and 2) customer-defined
|
||||
* Reads from command-line arguments (+input validation)
|
||||
* Keys to filter scanned targets by some attribute
|
||||
* Filter by AUTH: --wep, --wpa
|
||||
* Filter by WPS: --wps
|
||||
* Filter by channel: --channel
|
||||
* Filter by bssid: --bssid
|
||||
* Filter by essid: --essid
|
||||
* Keys to specify attacks
|
||||
* WEP: arp-replay, chopchop, fragmentation, etc
|
||||
* WPA: Just handshake?
|
||||
* WPS: pin, pixie-dust
|
||||
* Keys to specify thresholds (running time, timeouts)
|
||||
* Key to specify the command to run:
|
||||
* SCAN (default), CRACK, INFO
|
||||
|
||||
------------------------------------------------------
|
||||
|
||||
### Workflow
|
||||
|
||||
MAIN: Starts everything
|
||||
1. Parse command-line args, override defaults
|
||||
2. Start appropriate COMMAND (SCAN, ATTACK, CRACK, INFO)
|
||||
|
||||
SCAN: (Scan + Attack + Result)
|
||||
1. Find interface, start monitor mode (airmon.py)
|
||||
2. LOOP
|
||||
1. Get list of filtered targets (airodump.py)
|
||||
* Option: Read from CSV every second or parse airodump STDOUT
|
||||
2. Decloak SSIDs if possible (decloak.py)
|
||||
3. Sort targets; Prefer WEP over WPS over WPA(1+ clients) over WPA(noclient)
|
||||
4. Print targets to screen (ESSID, Channel, Power, WPS, # of clients)
|
||||
5. Print decloaked ESSIDs (if any)
|
||||
6. Wait 5 seconds, or until user interrupts
|
||||
3. Prompt user to select target or range of targets
|
||||
4. FOR EACH target:
|
||||
1. ATTACK target based on CONFIG (WEP/WPA/WPS)
|
||||
2. Print attack status (cracked or error)
|
||||
3. WPA-only: Start cracking Handshake
|
||||
4. If cracked, test credentials by connecting to the router (?).
|
||||
|
||||
ATTACK (ALL)
|
||||
Returns cracked target information or throws exception
|
||||
|
||||
ATTACK (WEP)
|
||||
0. Expects: Target
|
||||
1. Start Airodump to capture IVS from the AP (airodump)
|
||||
2. LOOP
|
||||
1. (Daemon) Fakeauth with AP if needed (aireplay, config)
|
||||
2. (Daemon?) Perform appropriate WEP attack (aireplay, packetforge)
|
||||
3. If airodump IVS > threshold:
|
||||
1. (Daemon) If Aircrack daemon is not running, start it. (aircrack)
|
||||
2. If successful, add password to Target and return.
|
||||
4. If aireplay/others and IVS has not changed in N seconds, restart attack.
|
||||
5. If running time > threshold, EXCEPTION
|
||||
|
||||
ATTACK (WPA): Returns cracked Target or Handshake of Target
|
||||
0. Expects: Target
|
||||
1. Start Airodump to capture PCAP from the Target AP
|
||||
2. LOOP
|
||||
1. Get list of all associated Clients, add "*BROADCAST*"
|
||||
2. (Daemon) Deauth a single client in list.
|
||||
3. Print status (time remaining, clients, deauths sent)
|
||||
4. Copy PCAP and check for Handshake
|
||||
5. If handshake is found, save to ./hs/ and BREAK
|
||||
6. If running time > threshold, EXCEPTION
|
||||
3. (Daemon) If Config has a wordlist, try crack handshake (airodump)
|
||||
1. If successful, add PSK to target and return
|
||||
4. If not cracking or crack is unsuccessful, mark PSK as "Handshake" and return
|
||||
|
||||
ATTACK-WPS:
|
||||
0. Expects: Target
|
||||
1. For each attack (PIN and/or Pixie-Dust based on CONFIG):
|
||||
1. (Daemon) Start Reaver (PIN/Pixie-Dust)
|
||||
2. LOOP
|
||||
1. Print Pixie status
|
||||
2. If Pixie is successful, add PSK+PIN to Target and return
|
||||
3. If Pixie failures > threshold, EXCEPTION
|
||||
4. If Pixie is locked out == CONFIG, EXCEPTION
|
||||
5. If running time > threshold, EXCEPTION
|
||||
|
||||
CRACK (WEP)
|
||||
0. Expects: String pcap file containing IVS
|
||||
2. FOR EACH Aircrack option:
|
||||
1. (Daemon) Start Aircrack
|
||||
2. LOOP
|
||||
1. Print Aircrack status
|
||||
2. If Aircrack is successful, print result
|
||||
3. If unsuccessful, EXCEPTION
|
||||
|
||||
CRACK (WPA)
|
||||
0. Expects: String pcap file containing Handshake (optional: BSSID/ESSID)
|
||||
1. Select Cracking option (Aircrack, Cowpatty, Pyrit)
|
||||
2. (Daemon) Start attack
|
||||
3. LOOP
|
||||
1. Print attack status if possible
|
||||
2. If successful, print result
|
||||
3. If unsuccessful, EXCEPTION
|
||||
|
||||
INFO:
|
||||
* Print list of handshake files with ESSIDs, Dates, etc.
|
||||
* Print list of cracked Targets (including WEP/WPA/WPS key)
|
||||
|
||||
------------------------------------------------------
|
||||
Reference in New Issue
Block a user