skeletonKey
BEng Dissertation; Pen-testing device
WiFiTools.h
Go to the documentation of this file.
1// WiFiTools.h
2#ifndef WIFITOOLS_H
3#define WIFITOOLS_H
4
16#include <SD.h>
17#include <WiFi.h>
18
19#include <array>
20#include <vector>
21
22#include "esp_event.h"
23#include "esp_event_loop.h"
24#include "esp_log.h"
25#include "esp_system.h"
26#include "esp_wifi.h"
27#include "esp_wifi_types.h"
28#include "freertos/FreeRTOS.h"
29#include "nvs_flash.h"
30
31esp_err_t esp_wifi_set_channel(uint8_t primary, wifi_second_chan_t second);
32esp_err_t esp_wifi_80211_tx(wifi_interface_t ifx, const void* buffer, int len, bool en_sys_seq);
33esp_err_t esp_wifi_set_storage(wifi_storage_t storage);
34esp_err_t esp_wifi_set_mode(wifi_mode_t mode);
35esp_err_t esp_wifi_start();
36esp_err_t esp_wifi_set_promiscuous(bool en);
37
42typedef struct {
43 unsigned frame_ctrl : 16; /* frame control field */
44 unsigned duration_id : 16; /* duration/ID field */
45 uint8_t addr1[6]; /* receiver address */
46 uint8_t addr2[6]; /* sender address */
47 uint8_t addr3[6]; /* filtering address */
48 unsigned sequence_ctrl : 16; /* sequence control field */
49 uint8_t addr4[6]; /* optional */
50} wifi_ieee80211_mac_hdr_t;
51
56typedef struct {
57 wifi_ieee80211_mac_hdr_t hdr;
58 uint8_t payload[0]; /* network data ended with 4 bytes csum (CRC32) */
59} wifi_ieee80211_packet_t;
60
65typedef struct {
66 uint8_t ap_mac[6];
67 uint8_t sta_mac[6];
68 uint8_t eapol[256];
69 uint16_t eapol_len;
70 uint8_t keymic[16];
71 uint8_t replay_counter[8];
72 uint8_t essid[64];
73 uint8_t essid_len;
74} HCCAPX;
75
76typedef struct {
77 uint8_t apMac[6];
78 uint8_t staMac[6];
79 uint8_t channel;
80 uint8_t reasonCode;
81 int deauthDelayMs;
82} deauthPacket_t;
83
88typedef enum {
89 HANDSHAKE_CAPTURE,
90 CLIENT_DETECTION,
91 NONE
92} wifi_packet_flag;
93
98typedef enum {
99 DEAUTH,
100 BEACON_SPAM,
101 WiFi_IDLE
102} wifi_attack_mode;
103
104class WiFiTools {
105 private:
106 const bool wpa2 = true;
107 char emptySSID[32];
108 uint8_t channelIndex = 0;
109 uint8_t macAddr[6];
110 uint8_t randomMacAddr[6];
111 uint8_t wifiChannel = 1;
112 uint32_t currentTime = 0;
113 uint32_t packetSize = 0;
114 uint32_t packetCounter = 0;
115 uint32_t attackTime = 0;
116 uint32_t packetRateTime = 0;
117 uint8_t targetBSSID[6];
118 uint8_t targetChannel;
119 wifi_packet_flag packetScanFlag;
120 fs::SDFS* sd = nullptr;
121 wifi_attack_mode attackMode = WiFi_IDLE;
122 deauthPacket_t setDeauthPacket;
123 long lastDeauthTime = 0;
124 int lastBeconIndex = 0;
125 long lastBeaconTime = 0;
126 long beaconPaketDelayMs = 10;
127
128 wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
129 std::vector<uint8_t*> detectedClients;
130 std::vector<uint8_t*> capturedPackets;
131 std::vector<wifi_ap_record_t> foundWiFiNetworks;
132
137 void beaconSpamSetup();
138
143 void generateRandomMac();
144
149 void sendBeaconPacket();
150
159 void sendDeauthPacket(uint8_t* apMac, uint8_t* stMac, uint8_t channel, uint8_t reasonCode);
160
166 void filterForClients(const wifi_ieee80211_mac_hdr_t* hdr);
167
174 void filterForHandshakes(void* buf, wifi_promiscuous_pkt_type_t type);
175
182 static void promiscuousPacketHandler(void* buf, wifi_promiscuous_pkt_type_t type);
183
193 void processWiFiData(uint8_t* networkBSSID, uint8_t channel, int captureTime, bool captureHandshake, bool detectClients);
194
195 // deauth frame definition
196 uint8_t deauthPacket[26] = {
197 /* 0 - 1 */ 0xA0, 0x00, // type, subtype c0: deauth (a0: disassociate)
198 /* 2 - 3 */ 0x3A, 0x01, // duration
199 /* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // reciever (target)
200 /* 10 - 15 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // source (ap)
201 /* 16 - 21 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // BSSID (ap)
202 /* 22 - 23 */ 0x00, 0x00, // fragment & squence number
203 /* 24 - 25 */ 0x01, 0x00 // reason code (1 = unspecified reason)
204 };
205
206 // beacon frame definition
207 uint8_t beaconPacket[109] = {
208 /* 0 - 3 */ 0x80, 0x00, 0x00, 0x00, // Type/Subtype: management beacon frame
209 /* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast
210 /* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
211 /* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
212
213 // Fixed parameters
214 /* 22 - 23 */ 0x00, 0x00, // Fragment & sequence number (will be done by the SDK)
215 /* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp
216 /* 32 - 33 */ 0x64, 0x00, // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
217 /* 34 - 35 */ 0x31, 0x00, // capabilities Information
218
219 // Tagged parameters
220
221 // SSID parameters
222 /* 36 - 37 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32
223 /* 38 - 69 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, // SSID
224
225 // Supported Rates
226 /* 70 - 71 */ 0x01, 0x08, // Tag: Supported Rates, Tag length: 8
227 /* 72 */ 0x82, // 1(B)
228 /* 73 */ 0x84, // 2(B)
229 /* 74 */ 0x8b, // 5.5(B)
230 /* 75 */ 0x96, // 11(B)
231 /* 76 */ 0x24, // 18
232 /* 77 */ 0x30, // 24
233 /* 78 */ 0x48, // 36
234 /* 79 */ 0x6c, // 54
235
236 // Current Channel
237 /* 80 - 81 */ 0x03, 0x01, // Channel set, length
238 /* 82 */ 0x01, // Current Channel
239
240 // RSN information
241 /* 83 - 84 */ 0x30, 0x18,
242 /* 85 - 86 */ 0x01, 0x00,
243 /* 87 - 90 */ 0x00, 0x0f, 0xac, 0x02,
244 /* 91 - 100 */ 0x02, 0x00,
245 /* 93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/
246 /* 101 - 102 */ 0x01, 0x00,
247 /* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02,
248 /* 107 - 108 */ 0x00, 0x00};
249
250 // Rick Roll SSIDs
251 const char* const rickRollSSIDs[8] PROGMEM = {
252 "NeverGonnaGiveYouUp",
253 "NeverGonnaLetYouDown",
254 "NeverGonnaRunAround",
255 "AndDesertYou",
256 "NeverGonnaMakeYouCry",
257 "NeverGonnaSayGoodbye",
258 "NeverGonnaTellALie",
259 "AndHurtYou"};
260
261 public:
266 WiFiTools();
267
273 void initWiFiTools(fs::SDFS& sdInstance);
274
279 void nextChannel();
280
286 void rickRollBeaconSpam(int duration);
287
292 void scanWiFiNetworks();
293
299 std::vector<wifi_ap_record_t> getAvailableNetworks();
300
305 void clearFoundWiFiNetworks();
306
311 void runAction();
312
317 void stopNetworkDeauth();
318
330 void startNetworkDeauth(uint8_t* networkSSID, uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t* targetMacAddr, int delayMs, uint8_t reasonCode);
331
344 void deauthNetwork(uint8_t* networkSSID, uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t* targetMacAddr, int numPackets, int delayMs, uint8_t reasonCode);
345
354 void handshakeCapture(uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime);
355
364 void activeHandshakeCapture(uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime);
365
374 void findClients(uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime);
375
381 void toggleRickRollBeaconSpam(bool enable);
382};
383
384// Declare the global instance
385extern WiFiTools* globalWiFiToolsInstance;
386
387#endif // WIFITOOLS_H
wifi_attack_mode
wifi_attack_mode
Enum to store the type of Wi-Fi attack mode.
Definition WiFiTools.h:98
wifi_packet_flag
wifi_packet_flag
Enum to store the type of Wi-Fi packet to capture.
Definition WiFiTools.h:88
wifi_attack_mode
wifi_attack_mode
Enum to store the type of Wi-Fi attack mode.
Definition WiFiTools.h:98
wifi_packet_flag
wifi_packet_flag
Enum to store the type of Wi-Fi packet to capture.
Definition WiFiTools.h:88
WiFiTools
Definition WiFiTools.h:104
WiFiTools::filterForClients
void filterForClients(const wifi_ieee80211_mac_hdr_t *hdr)
Function to identify clients based on detected packets.
Definition WiFiTools.cpp:374
WiFiTools::beaconSpamSetup
void beaconSpamSetup()
Setup function for the beacon spam attack.
Definition WiFiTools.cpp:43
WiFiTools::WiFiTools
WiFiTools()
Construct a new Wi-Fi Tools object.
Definition WiFiTools.cpp:34
WiFiTools::stopNetworkDeauth
void stopNetworkDeauth()
Function to end the network deathentication attack.
Definition WiFiTools.cpp:677
WiFiTools::promiscuousPacketHandler
static void promiscuousPacketHandler(void *buf, wifi_promiscuous_pkt_type_t type)
Callback function for promiscuous packet handling.
Definition WiFiTools.cpp:453
WiFiTools::activeHandshakeCapture
void activeHandshakeCapture(uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime)
Function to initiate an active handshake capture.
Definition WiFiTools.cpp:566
WiFiTools::clearFoundWiFiNetworks
void clearFoundWiFiNetworks()
Function to clear the found Wi-Fi networks vector.
Definition WiFiTools.cpp:275
WiFiTools::scanWiFiNetworks
void scanWiFiNetworks()
Function to scan for available Wi-Fi networks.
Definition WiFiTools.cpp:248
WiFiTools::sendDeauthPacket
void sendDeauthPacket(uint8_t *apMac, uint8_t *stMac, uint8_t channel, uint8_t reasonCode)
Function to transmit a deatuthentication packet.
Definition WiFiTools.cpp:279
WiFiTools::filterForHandshakes
void filterForHandshakes(void *buf, wifi_promiscuous_pkt_type_t type)
Function to filter packets for handshake capture.
Definition WiFiTools.cpp:394
WiFiTools::initWiFiTools
void initWiFiTools(fs::SDFS &sdInstance)
Initialise the Wi-Fi tools object.
Definition WiFiTools.cpp:39
WiFiTools::nextChannel
void nextChannel()
Function to change the Wi-Fi channel.
Definition WiFiTools.cpp:80
WiFiTools::handshakeCapture
void handshakeCapture(uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime)
Function to initiate a passive handshake capture.
Definition WiFiTools.cpp:518
WiFiTools::sendBeaconPacket
void sendBeaconPacket()
Function to send a single beacon packet.
Definition WiFiTools.cpp:186
WiFiTools::toggleRickRollBeaconSpam
void toggleRickRollBeaconSpam(bool enable)
Function to toggle the Rick Roll beacon spam attack.
Definition WiFiTools.cpp:173
WiFiTools::findClients
void findClients(uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime)
Function to identify clients connected to a network.
Definition WiFiTools.cpp:599
WiFiTools::startNetworkDeauth
void startNetworkDeauth(uint8_t *networkSSID, uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t *targetMacAddr, int delayMs, uint8_t reasonCode)
Function to start a deauthentication attack.
Definition WiFiTools.cpp:629
WiFiTools::processWiFiData
void processWiFiData(uint8_t *networkBSSID, uint8_t channel, int captureTime, bool captureHandshake, bool detectClients)
Function to begin capture and processing of Wi-Fi data.
Definition WiFiTools.cpp:492
WiFiTools::deauthNetwork
void deauthNetwork(uint8_t *networkSSID, uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t *targetMacAddr, int numPackets, int delayMs, uint8_t reasonCode)
Function to run a deauthentication attack.
Definition WiFiTools.cpp:325
WiFiTools::generateRandomMac
void generateRandomMac()
Function to generate a random MAC address.
Definition WiFiTools.cpp:90
WiFiTools::rickRollBeaconSpam
void rickRollBeaconSpam(int duration)
Function to run a Rick Roll beacon spam attack.
Definition WiFiTools.cpp:97
WiFiTools::runAction
void runAction()
Function to call from external code to run the action.
Definition WiFiTools.cpp:683
WiFiTools::getAvailableNetworks
std::vector< wifi_ap_record_t > getAvailableNetworks()
Get the Available Networks object.
Definition WiFiTools.cpp:268
HCCAPX
Struct to store the information of a 4-way handshake.
Definition WiFiTools.h:65
deauthPacket_t
Definition WiFiTools.h:76
wifi_ieee80211_mac_hdr_t
Struct to store the MAC header of a Wi-Fi packet.
Definition WiFiTools.h:42
wifi_ieee80211_packet_t
Struct to store the payload of a Wi-Fi packet.
Definition WiFiTools.h:56
Generated by doxygen 1.9.8