Merge branch 'testing'

Author: Stefan Kremser

README.md

@@ -1,5 +1,5 @@
 # ESP8266 Deauther
-Build your own WiFi jammer with an ESP8266.
+Deauthentication attack and other hacks using an ESP8266.
 
 ![esp8266 deauther with a smartphone](https://raw.githubusercontent.com/spacehuhn/esp8266_deauther/master/screenshots/smartphone_esp_1.jpg)
 
@@ -24,39 +24,40 @@ Build your own WiFi jammer with an ESP8266.
 
 Basically it’s a device which performs a [deauth attack](https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack).  
 You select the clients you want to disconnect from their network and start the attack. As long as the attack is running, the
-selected devices are unable to connect to their network.
+selected devices are unable to connect to their network.  
+Other attacks also have been implemented, such as beacon or probe request flooding.  
 
 ### How it works
 
-The 802.11 WiFi protocol contains a so called [deauthentication frame](https://mrncciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames/). It is used to disconnect clients safely from a wireless
+The 802.11 Wi-Fi protocol contains a so called [deauthentication frame](https://mrncciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames/). It is used to disconnect clients safely from a wireless
 network.
 
-Because these packets are unencrypted, you just need the mac address of the WiFi router and of the client device which you want to disconnect from the network. You don’t need to be in the network or know the password, it’s enough to be in its range.
+Because these management packets are unencrypted, you just need the mac address of the Wi-Fi router and of the client device which you want to disconnect from the network. You don’t need to be in the network or know the password, it’s enough to be in its range.
 
 ### What an ESP8266 is
 
-The [ESP8266](https://de.wikipedia.org/wiki/ESP8266) is a very cheap micro controller with build in WiFi. It contains a powerfull 160 MHz processor and you can program it
-with the [Arduino IDE](https://www.arduino.cc/en/Main/Software). This makes it perfect for this project.
+The [ESP8266](https://de.wikipedia.org/wiki/ESP8266) is a cheap micro controller with built-in Wi-Fi. It contains a powerfull 160 MHz processor and it can be programmed using [Arduino](https://www.arduino.cc/en/Main/Software).  
 
 You can buy these chips for under $2 from China!
 
 ### How to protect against it
 
-With [802.11w-2009](https://en.wikipedia.org/wiki/IEEE_802.11w-2009) WiFi got an update to encrypt management frames.
-So make sure your router is up to date and has management frame protection enabled. But be sure that your client device
-supports it too, both ends need to have it enabled!
+With [802.11w-2009](https://en.wikipedia.org/wiki/IEEE_802.11w-2009) Wi-Fi got an update to encrypt management frames.
+So make sure your router is up to date and has management frame protection enabled. But note that your client device needs to 
+support it too, both ends need to have it enabled!
 
-The only problem is that most devices don’t use it. I tested it with different WiFi networks and devices, it worked every time! It seems that even newer devices which support frame protection don’t use it by default.
+The only problem is that most devices don’t use it. I tested it with different Wi-Fi networks and devices, it worked every time! It seems that even newer devices which support frame protection don’t use it by default.
 
 ## Disclaimer
 
-Use it only for testing purposes on your own devices!
+Use it only for testing purposes on your own devices!  
+I don't take any responsibility for what you do with this program.  
 
 Please check the legal regulations in your country before using it. Jamming transmitters are illegal in most countries 
 and this device can fall into the same category (even if it’s technically not the same).
 
 My intention with this project is to draw attention to this issue. 
-This attack shows how vulnerable the 802.11 WiFi standard is and that it has to be fixed.
+This attack shows how vulnerable the 802.11 Wi-Fi standard is and that it has to be fixed.
 **A solution is already there, why don’t we use it?**
 
 ## Installation
@@ -111,19 +112,19 @@ Make sure you select the right com-port, the right upload size of your ESP8266 a
 **11** Scroll down and before `#endif` add following lines:
 
 `typedef void (*freedom_outside_cb_t)(uint8 status);`  
-`int wifi_register_send_pkt_freedom_cb(freedom_outside_cb_t cb);`  
-`void wifi_unregister_send_pkt_freedom_cb(void);`  
-`int wifi_send_pkt_freedom(uint8 *buf, int len, bool sys_seq);`  
+`int Wi-Fi_register_send_pkt_freedom_cb(freedom_outside_cb_t cb);`  
+`void Wi-Fi_unregister_send_pkt_freedom_cb(void);`  
+`int Wi-Fi_send_pkt_freedom(uint8 *buf, int len, bool sys_seq);`  
 
 ![screenshot of notepad, copy paste the right code](https://raw.githubusercontent.com/spacehuhn/esp8266_deauther/master/screenshots/notepad_screenshot_1.JPG)
 
 **don't forget to save!**
 
 **12** Go to the SDK_fix folder of this project
 
-**13** Copy ESP8266WiFi.cpp and ESP8266WiFi.h
+**13** Copy ESP8266Wi-Fi.cpp and ESP8266Wi-Fi.h
 
-**14** Past these files here `packages` > `esp8266` > `hardware` > `esp8266` > `2.0.0` > `libraries` > `ESP8266WiFi` > `src`
+**14** Past these files here `packages` > `esp8266` > `hardware` > `esp8266` > `2.0.0` > `libraries` > `ESP8266Wi-Fi` > `src`
 
 **15** Open `esp8266_deauther` > `esp8266_deauther.ino` in Arduino
 
@@ -143,7 +144,7 @@ First start your ESP8266 by giving it power.
 You can use your smartphone if you have a USB OTG cable.
 ![esp8266 deauther with a smartphone](https://raw.githubusercontent.com/spacehuhn/esp8266_deauther/master/screenshots/smartphone_esp_2.jpg)
 
-Scan for WiFi networks and connect to `pwned`. The password is `deauther`.  
+Scan for Wi-Fi networks and connect to `pwned`. The password is `deauther`.  
 Once connected, you can open up your browser and go to `192.168.4.1`.  
 
 You can now scan for networks...
@@ -152,7 +153,7 @@ You can now scan for networks...
 scan for client devices... 
 ![webinterface client scanner](https://raw.githubusercontent.com/spacehuhn/esp8266_deauther/master/screenshots/web_screenshot_2.JPG)
 
-Note: While scanning the ESP8266 will shut down its access point, so you may have to go to your settings and reconnect to the WiFi network manually.
+Note: While scanning the ESP8266 will shut down its access point, so you may have to go to your settings and reconnect to the Wi-Fi network manually.
 
 ...and start different attacks.
 ![webinterface attack menu](https://raw.githubusercontent.com/spacehuhn/esp8266_deauther/master/screenshots/web_screenshot_3.JPG)
@@ -168,14 +169,14 @@ Yes, but I will not implement this 'feature' for ethical and legal reasons.
 **Can it sniff handshakes?**
 
 The ESP8266 has a promiscuous mode in which you can sniff packets, but handshake packets are dropped and there is no other way to get them with the functions provided by the SDK.  
-Maybe someone will find a way around this barrier but I wasn't able to.
+Maybe someone will find a way around this barrier.
 
 **espcomm_sync failed/espcomm_open when uploading**
 
 The ESP upload tool can't communicate with the chip, make sure the right port is selected!  
 You can also try out different USB ports and cables.  
 If this doesn't solve it you may have to install USB drivers.  
-Which drivers you need depends on the board, most boards use a cp2102, cp2104 or ch340.
+Which drivers you need depends on the board, most boards use a cp2102 or ch340.
 
 **AP scan doesn't work**
 
@@ -184,16 +185,16 @@ Try out switching the browser or open the website with another device.
 
 **Deauth attack won't work**
 
-If you see 0 pkts/s on the website you have made a mistake. Check if you have followed the the installation steps correctly and that the right SDK installed, it must be version 2.0.0!  
-If it can send packets but your target don't loose its connection then the WiFi router uses [802.11w](#how-to-protect-against-it) and it's protected against such attacks or they communicate via 5 GHz WiFi, which the ESP8266 doesn't support.
+If you see 0 pkts/s on the website you've made a mistake. Check if you have followed the the installation steps correctly and that the right SDK installed, it must be version 2.0.0!  
+If it can send packets but your target don't loose its connection then the Wi-Fi router uses [802.11w](#how-to-protect-against-it) and it's protected against such attacks or they communicate via 5 GHz Wi-Fi, which the ESP8266 doesn't support.
 
 
 ###If you have other questions or problems with the ESP8266 you can also check out the official [community forum](http://www.esp8266.com/).
 
 
 ## License
 
-This project is licensed under the MIT License - see the [license file](LICENSE) file for details
+This project is licensed under the MIT License - see the [license file](LICENSE) file for details.
 
 ## Sources and additional links
 
@@ -207,14 +208,15 @@ ESP8266:
 
 packet injection with ESP8266: 
 * http://hackaday.com/2016/01/14/inject-packets-with-an-esp8266/
-* http://bbs.espressif.com/viewtopic.php?f=7&t=1357&p=10205&hilit=wifi_pkt_freedom#p10205
+* http://bbs.espressif.com/viewtopic.php?f=7&t=1357&p=10205&hilit=Wi-Fi_pkt_freedom#p10205
 * https://github.com/pulkin/esp8266-injection-example
 
 802.11w-2009: https://en.wikipedia.org/wiki/IEEE_802.11w-2009
 
-wifi_send_pkt_freedom function limitations: http://esp32.com/viewtopic.php?f=13&t=586&p=2648&hilit=wifi_send_pkt_freedom#p2648
+Wi-Fi_send_pkt_freedom function limitations: http://esp32.com/viewtopic.php?f=13&t=586&p=2648&hilit=Wi-Fi_send_pkt_freedom#p2648
 
-esp32 esp_wifi_internal function limitations: http://esp32.com/viewtopic.php?f=13&t=586&p=2648&hilit=wifi_send_pkt_freedom#p2648
+esp32 esp_Wi-Fi_internal function limitations: http://esp32.com/viewtopic.php?f=13&t=586&p=2648&hilit=Wi-Fi_send_pkt_freedom#p2648
 
 Videos:  
-[![Cheap Wifi 'Jammer' Device | NodeMCU](https://img.youtube.com/vi/oQQhBdCQOTM/0.jpg)](https://www.youtube.com/watch?v=oQQhBdCQOTM)
+[![Cheap Wi-Fi 'Jammer' Device | NodeMCU](https://img.youtube.com/vi/oQQhBdCQOTM/0.jpg)](https://www.youtube.com/watch?v=oQQhBdCQOTM)
+[![Wifi 'Jammer' Device V1.1 | Setup Tutorial](https://img.youtube.com/vi/r5aoV5AolNo/0.jpg)](https://www.youtube.com/watch?v=r5aoV5AolNo)

esp8266_deauther/APScan.cpp

@@ -26,6 +26,8 @@ bool APScan::start(){
       _ssid.toCharArray(names[i],33);
       //data_getVendor(WiFi.BSSID(i)[0],WiFi.BSSID(i)[1],WiFi.BSSID(i)[2]).toCharArray(vendors[i],9);
       if(debug){
+        Serial.print((String)i);
+        Serial.print(" - ");
         _ap._print();
         Serial.print(" - ");
         Serial.print(channels[i]);
@@ -44,7 +46,8 @@ bool APScan::start(){
     }
 
     //for debugging the APScan crash bug
-    /*if(debug){
+    /*
+    if(debug){
       for(int i=results;i<maxAPScanResults;i++){
         Mac _ap;
         _ap.set(random(255),random(255),random(255),random(255),random(255),random(255));
@@ -55,6 +58,8 @@ bool APScan::start(){
         String _ssid = "test_dbeJwq3tPtJsuWtgULgShD9dxXV";
         _ssid.toCharArray(names[i],33);
 
+        Serial.print((String)i);
+        Serial.print(" - ");
         _ap._print();
         Serial.print(" - ");
         Serial.print(channels[i]);
@@ -68,10 +73,10 @@ bool APScan::start(){
 
         results++;
       }
-    }*/
+    }
+    */
 
     if(debug) Serial.println("scan done");
-    if(debug) Serial.println(getResults());
     return true;
 }
 
@@ -115,6 +120,67 @@ int APScan::getFirstTarget(){
   return -1;
 }
 
+void APScan::sendResults(){
+  if(debug) Serial.print("sending AP scan result JSON ");
+
+  size_t _size = 10; // {"aps":[]}
+  for(int i=0;i<results && i<maxAPScanResults;i++){
+    /*
+      _size++; // {
+      _size += 5; // "i": ,
+      _size += String(i).length();
+      _size += 5; // "c": ,
+      _size += String(getAPChannel(i)).length();
+      _size += 24; // "m":"d4:21:22:da:85:f3",
+      _size += 8; // "ss":" ",
+      _size += getAPName(i).length();
+      _size += 5; // "r": ,
+      _size += String(getAPRSSI(i)).length();
+      _size += 6; // "e": ,
+      _size += 6; // "se":0
+      _size++; // }*/
+      _size += 61;
+      _size += String(i).length();
+      _size += String(getAPChannel(i)).length();
+      _size += getAPName(i).length();
+      _size += String(getAPRSSI(i)).length();
+      
+      if((i!=results-1) && (i!=maxAPScanResults-1)) _size++; // ,
+  }
+
+  sendHeader(200, "text/json", _size);
+  
+  String json;
+  int bufc = 0; //bufferCounter
+  json = "{\"aps\":[";
+
+  sendToBuffer(json);
+  
+  for(int i=0;i<results && i<maxAPScanResults;i++){
+    if(debug) Serial.print(".");
+    json = "{";
+    json += "\"i\":"+(String)i+",";
+    json += "\"c\":"+(String)getAPChannel(i)+",";
+    json += "\"m\":\""+getAPMac(i)+"\",";
+    json += "\"ss\":\""+getAPName(i)+"\",";
+    json += "\"r\":"+(String)getAPRSSI(i)+",";
+    json += "\"e\":"+(String)encryption[i]+",";
+    //json += "\"v\":\""+getAPVendor(i)+"\",";
+    json += "\"se\":"+(String)getAPSelected(i);
+    json += "}";
+    if((i!=results-1) && (i!=maxAPScanResults-1)) json += ",";
+    
+    sendToBuffer(json);
+  
+  }
+  json = "]}";
+  sendToBuffer(json);
+  sendBuffer();
+    
+  if(debug) Serial.println("done");
+
+}
+
 String APScan::getResults(){
   if(debug) Serial.print("getting AP scan result JSON ");
   String json = "{ \"aps\":[ ";
@@ -175,4 +241,4 @@ void APScan::select(int num){
 
 bool APScan::isSelected(int num){
   return selected[num];
-}
+}

esp8266_deauther/APScan.h

@@ -1,14 +1,19 @@
 #ifndef APScan_h
 #define APScan_h
 
-#define maxAPScanResults 30
+#define maxAPScanResults 80
 
 #include <ESP8266WiFi.h>
 #include "Mac.h"
 #include "MacList.h"
 #include "Settings.h"
+#include <ESP8266WebServer.h>
 
 extern String data_getVendor(uint8_t first,uint8_t second,uint8_t third);
+extern ESP8266WebServer server;
+extern void sendBuffer();
+extern void sendToBuffer(String str);
+extern void sendHeader(int code, String type, size_t _size);
 extern const bool debug;
 
 extern Settings settings;
@@ -21,6 +26,7 @@ class APScan{
     String getResults();
     String getResult(int i);
     void select(int num);
+    void sendResults();
 
     String getAPName(int num);
     String getAPEncryption(int num);
@@ -38,6 +44,7 @@ class APScan{
     int selectedSum;
     MacList aps;
   private:
+  
     int channels[maxAPScanResults];
     int rssi[maxAPScanResults];
     char names[maxAPScanResults][33];
@@ -47,6 +54,7 @@ class APScan{
     String getEncryption(int code);
 
     bool selected[maxAPScanResults];
+    
 };
 
-#endif
+#endif

esp8266_deauther/Attack.cpp

@@ -11,7 +11,7 @@ void Attack::generate(){
   uint8_t _randomMacBuffer[6];
   beaconAdrs._clear();
 
-  for(int i=0;i<macListLen;i++) channels[i] = random(1,12);
+  for(int i=0;i<macListLen;i++) channels[i] = random(1,maxChannel);
   do{
     getRandomVendorMac(_randomMacBuffer);
     for(int i=0;i<6;i++) _randomBeaconMac.setAt(_randomMacBuffer[i],i);
@@ -136,7 +136,7 @@ void Attack::run(){
             _selectedClients++;
 
             if(settings.channelHop){
-              for(int j=1;j<12;j++){
+              for(int j=1;j<maxChannel;j++){
                 wifi_set_channel(j);
 
                 buildDeauth(_ap, clientScan.getClientMac(i), 0xc0, settings.deauthReason );
@@ -160,7 +160,7 @@ void Attack::run(){
           _client.set(0xFF,0xFF,0xFF,0xFF,0xFF,0xFF);
 
           if(settings.channelHop){
-              for(int j=1;j<12;j++){
+              for(int j=1;j<maxChannel;j++){
                 wifi_set_channel(j);
 
                 buildDeauth(_ap, _client, 0xc0, settings.deauthReason );

esp8266_deauther/Attack.h

@@ -1,6 +1,8 @@
 #ifndef Attack_h
 #define Attack_h
 
+#define maxChannel 11
+
 #include <ESP8266WiFi.h>
 
 extern "C" {

esp8266_deauther/ClientScan.cpp

@@ -25,9 +25,11 @@ void ClientScan::start(int _time){
   curChannel = 0;
 
   for(int i=0;i<apScan.results;i++){
-    if(!intInArray(apScan.getAPChannel(i),channels)){
-      channels[channelsNum] = apScan.getAPChannel(i);
-      channelsNum++;
+    if(apScan.isSelected(i)){
+      if(!intInArray(apScan.getAPChannel(i),channels)){
+        channels[channelsNum] = apScan.getAPChannel(i);
+        channelsNum++;
+      }
     }
   }