skeletonKey
BEng Dissertation; Pen-testing device
WiFiTools.h
Go to the documentation of this file.
1// WiFiTools.h
2#ifndef WIFITOOLS_H
3#define WIFITOOLS_H
4
16#include <SD.h>
17#include <WiFi.h>
18
19#include <array>
20#include <vector>
21
22#include "esp_event.h"
23#include "esp_event_loop.h"
24#include "esp_log.h"
25#include "esp_system.h"
26#include "esp_wifi.h"
27#include "esp_wifi_types.h"
28#include "freertos/FreeRTOS.h"
29#include "nvs_flash.h"
30
31esp_err_t esp_wifi_set_channel(uint8_t primary, wifi_second_chan_t second);
32esp_err_t esp_wifi_80211_tx(wifi_interface_t ifx, const void* buffer, int len, bool en_sys_seq);
33esp_err_t esp_wifi_set_storage(wifi_storage_t storage);
34esp_err_t esp_wifi_set_mode(wifi_mode_t mode);
35esp_err_t esp_wifi_start();
36esp_err_t esp_wifi_set_promiscuous(bool en);
37
42typedef struct {
43 unsigned frame_ctrl : 16; /* frame control field */
44 unsigned duration_id : 16; /* duration/ID field */
45 uint8_t addr1[6]; /* receiver address */
46 uint8_t addr2[6]; /* sender address */
47 uint8_t addr3[6]; /* filtering address */
48 unsigned sequence_ctrl : 16; /* sequence control field */
49 uint8_t addr4[6]; /* optional */
50} wifi_ieee80211_mac_hdr_t;
51
56typedef struct {
57 wifi_ieee80211_mac_hdr_t hdr;
58 uint8_t payload[0]; /* network data ended with 4 bytes csum (CRC32) */
59} wifi_ieee80211_packet_t;
60
65typedef struct {
66 uint8_t ap_mac[6];
67 uint8_t sta_mac[6];
68 uint8_t eapol[256];
69 uint16_t eapol_len;
70 uint8_t keymic[16];
71 uint8_t replay_counter[8];
72 uint8_t essid[64];
73 uint8_t essid_len;
74} HCCAPX;
75
76typedef struct {
77 uint8_t apMac[6];
78 uint8_t staMac[6];
79 uint8_t channel;
80 uint8_t reasonCode;
81 int deauthDelayMs;
82} deauthPacket_t;
83
88typedef enum {
89 HANDSHAKE_CAPTURE,
90 CLIENT_DETECTION,
91 NONE
92} wifi_packet_flag;
93
98typedef enum {
99 DEAUTH,
100 BEACON_SPAM,
101 WiFi_IDLE
102} wifi_attack_mode;
103
104class WiFiTools {
105 private:
106 const bool wpa2 = true;
107 char emptySSID[32];
108 uint8_t channelIndex = 0;
109 uint8_t macAddr[6];
110 uint8_t randomMacAddr[6];
111 uint8_t wifiChannel = 1;
112 uint32_t currentTime = 0;
113 uint32_t packetSize = 0;
114 uint32_t packetCounter = 0;
115 uint32_t attackTime = 0;
116 uint32_t packetRateTime = 0;
117 uint8_t targetBSSID[6];
118 uint8_t targetChannel;
119 wifi_packet_flag packetScanFlag;
120 fs::SDFS* sd = nullptr;
121 wifi_attack_mode attackMode = WiFi_IDLE;
122 deauthPacket_t setDeauthPacket;
123 long lastDeauthTime = 0;
124 int lastBeconIndex = 0;
125
126 wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
127 std::vector<uint8_t*> detectedClients;
128 std::vector<uint8_t*> capturedPackets;
129 std::vector<wifi_ap_record_t> foundWiFiNetworks;
130
135 void beaconSpamSetup();
136
141 void generateRandomMac();
142
151 void sendDeauthPacket(uint8_t* apMac, uint8_t* stMac, uint8_t channel, uint8_t reasonCode);
152
158 void filterForClients(const wifi_ieee80211_mac_hdr_t* hdr);
159
166 void filterForHandshakes(void* buf, wifi_promiscuous_pkt_type_t type);
167
174 static void promiscuousPacketHandler(void* buf, wifi_promiscuous_pkt_type_t type);
175
185 void processWiFiData(uint8_t* networkBSSID, uint8_t channel, int captureTime, bool captureHandshake, bool detectClients);
186
187 // deauth frame definition
188 uint8_t deauthPacket[26] = {
189 /* 0 - 1 */ 0xA0, 0x00, // type, subtype c0: deauth (a0: disassociate)
190 /* 2 - 3 */ 0x3A, 0x01, // duration
191 /* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // reciever (target)
192 /* 10 - 15 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // source (ap)
193 /* 16 - 21 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // BSSID (ap)
194 /* 22 - 23 */ 0x00, 0x00, // fragment & squence number
195 /* 24 - 25 */ 0x01, 0x00 // reason code (1 = unspecified reason)
196 };
197
198 // beacon frame definition
199 uint8_t beaconPacket[109] = {
200 /* 0 - 3 */ 0x80, 0x00, 0x00, 0x00, // Type/Subtype: management beacon frame
201 /* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast
202 /* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
203 /* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
204
205 // Fixed parameters
206 /* 22 - 23 */ 0x00, 0x00, // Fragment & sequence number (will be done by the SDK)
207 /* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp
208 /* 32 - 33 */ 0x64, 0x00, // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
209 /* 34 - 35 */ 0x31, 0x00, // capabilities Information
210
211 // Tagged parameters
212
213 // SSID parameters
214 /* 36 - 37 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32
215 /* 38 - 69 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, // SSID
216
217 // Supported Rates
218 /* 70 - 71 */ 0x01, 0x08, // Tag: Supported Rates, Tag length: 8
219 /* 72 */ 0x82, // 1(B)
220 /* 73 */ 0x84, // 2(B)
221 /* 74 */ 0x8b, // 5.5(B)
222 /* 75 */ 0x96, // 11(B)
223 /* 76 */ 0x24, // 18
224 /* 77 */ 0x30, // 24
225 /* 78 */ 0x48, // 36
226 /* 79 */ 0x6c, // 54
227
228 // Current Channel
229 /* 80 - 81 */ 0x03, 0x01, // Channel set, length
230 /* 82 */ 0x01, // Current Channel
231
232 // RSN information
233 /* 83 - 84 */ 0x30, 0x18,
234 /* 85 - 86 */ 0x01, 0x00,
235 /* 87 - 90 */ 0x00, 0x0f, 0xac, 0x02,
236 /* 91 - 100 */ 0x02, 0x00,
237 /* 93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/
238 /* 101 - 102 */ 0x01, 0x00,
239 /* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02,
240 /* 107 - 108 */ 0x00, 0x00};
241
242 // Rick Roll SSIDs
243 const char* const rickRollSSIDs[8] PROGMEM = {
244 "NeverGonnaGiveYouUp",
245 "NeverGonnaLetYouDown",
246 "NeverGonnaRunAround",
247 "AndDesertYou",
248 "NeverGonnaMakeYouCry",
249 "NeverGonnaSayGoodbye",
250 "NeverGonnaTellALie",
251 "AndHurtYou"};
252
253 public:
258 WiFiTools();
259
265 void initWiFiTools(fs::SDFS& sdInstance);
266
271 void nextChannel();
272
278 void rickRollBeaconSpam(int duration);
279
284 void scanWiFiNetworks();
285
291 std::vector<wifi_ap_record_t> getAvailableNetworks();
292
297 void clearFoundWiFiNetworks();
298
303 void runAction();
304
309 void stopNetworkDeauth();
310
322 void startNetworkDeauth(uint8_t* networkSSID, uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t* targetMacAddr, int delayMs, uint8_t reasonCode);
323
336 void deauthNetwork(uint8_t* networkSSID, uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t* targetMacAddr, int numPackets, int delayMs, uint8_t reasonCode);
337
346 void handshakeCapture(uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime);
347
356 void activeHandshakeCapture(uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime);
357
366 void findClients(uint8_t* networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime);
367};
368
369// Declare the global instance
370extern WiFiTools* globalWiFiToolsInstance;
371
372#endif // WIFITOOLS_H
wifi_attack_mode
wifi_attack_mode
Enum to store the type of Wi-Fi attack mode.
Definition WiFiTools.h:98
wifi_packet_flag
wifi_packet_flag
Enum to store the type of Wi-Fi packet to capture.
Definition WiFiTools.h:88
WiFiTools
Definition WiFiTools.h:104
WiFiTools::filterForClients
void filterForClients(const wifi_ieee80211_mac_hdr_t *hdr)
Function to identify clients based on detected packets.
WiFiTools::beaconSpamSetup
void beaconSpamSetup()
Setup function for the beacon spam attack.
WiFiTools::WiFiTools
WiFiTools()
Construct a new Wi-Fi Tools object.
WiFiTools::stopNetworkDeauth
void stopNetworkDeauth()
Function to end the network deathentication attack.
WiFiTools::activeHandshakeCapture
void activeHandshakeCapture(uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime)
Function to initiate an active handshake capture.
WiFiTools::clearFoundWiFiNetworks
void clearFoundWiFiNetworks()
Function to clear the found Wi-Fi networks vector.
WiFiTools::scanWiFiNetworks
void scanWiFiNetworks()
Function to scan for available Wi-Fi networks.
WiFiTools::sendDeauthPacket
void sendDeauthPacket(uint8_t *apMac, uint8_t *stMac, uint8_t channel, uint8_t reasonCode)
Function to transmit a deatuthentication packet.
WiFiTools::filterForHandshakes
void filterForHandshakes(void *buf, wifi_promiscuous_pkt_type_t type)
Function to filter packets for handshake capture.
WiFiTools::initWiFiTools
void initWiFiTools(fs::SDFS &sdInstance)
Initialise the Wi-Fi tools object.
WiFiTools::promiscuousPacketHandler
static void promiscuousPacketHandler(void *buf, wifi_promiscuous_pkt_type_t type)
Callback function for promiscuous packet handling.
WiFiTools::nextChannel
void nextChannel()
Function to change the Wi-Fi channel.
WiFiTools::handshakeCapture
void handshakeCapture(uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime)
Function to initiate a passive handshake capture.
WiFiTools::findClients
void findClients(uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, int captureTime)
Function to identify clients connected to a network.
WiFiTools::startNetworkDeauth
void startNetworkDeauth(uint8_t *networkSSID, uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t *targetMacAddr, int delayMs, uint8_t reasonCode)
Function to start a deauthentication attack.
WiFiTools::processWiFiData
void processWiFiData(uint8_t *networkBSSID, uint8_t channel, int captureTime, bool captureHandshake, bool detectClients)
Function to begin capture and processing of Wi-Fi data.
WiFiTools::deauthNetwork
void deauthNetwork(uint8_t *networkSSID, uint8_t *networkBSSID, uint8_t channel, int availableNetworkIndex, uint8_t *targetMacAddr, int numPackets, int delayMs, uint8_t reasonCode)
Function to run a deauthentication attack.
WiFiTools::generateRandomMac
void generateRandomMac()
Function to generate a random MAC address.
WiFiTools::rickRollBeaconSpam
void rickRollBeaconSpam(int duration)
Function to run a Rick Roll beacon spam attack.
WiFiTools::runAction
void runAction()
Function to call from external code to run the action.
WiFiTools::getAvailableNetworks
std::vector< wifi_ap_record_t > getAvailableNetworks()
Get the Available Networks object.
HCCAPX
Struct to store the information of a 4-way handshake.
Definition WiFiTools.h:65
deauthPacket_t
Definition WiFiTools.h:76
wifi_ieee80211_mac_hdr_t
Struct to store the MAC header of a Wi-Fi packet.
Definition WiFiTools.h:42
wifi_ieee80211_packet_t
Struct to store the payload of a Wi-Fi packet.
Definition WiFiTools.h:56
Generated by doxygen 1.9.8