/* Wrapper function for Radio Tap / Dot11 / LLC */ const void *build_snap_packet(size_t *len) { const void *rt_header = NULL, *dot11_header = NULL, *llc_header = NULL, *packet = NULL; size_t rt_len = 0, dot11_len = 0, llc_len = 0, packet_len = 0; rt_header = build_radio_tap_header(&rt_len); dot11_header = build_dot11_frame_header(FC_STANDARD, &dot11_len); llc_header = build_llc_header(&llc_len); if(rt_header && dot11_header && llc_header) { packet_len = rt_len + dot11_len + llc_len; packet = malloc(packet_len); if(packet) { memset((void *) packet, 0, packet_len); memcpy((void *) packet, rt_header, rt_len); memcpy((void *) ((char *) packet+rt_len), dot11_header, dot11_len); memcpy((void *) ((char *) packet+rt_len+dot11_len), llc_header, llc_len); *len = packet_len; } free((void *) rt_header); free((void *) dot11_header); free((void *) llc_header); } return packet; }
/* Authenticate ourselves with the AP */ void authenticate() { const void *radio_tap = NULL, *dot11_frame = NULL, *management_frame = NULL, *packet = NULL; size_t radio_tap_len = 0, dot11_frame_len = 0, management_frame_len = 0, packet_len = 0; radio_tap = build_radio_tap_header(&radio_tap_len); dot11_frame = build_dot11_frame_header(FC_AUTHENTICATE, &dot11_frame_len); management_frame = build_authentication_management_frame(&management_frame_len); packet_len = radio_tap_len + dot11_frame_len + management_frame_len; if(radio_tap && dot11_frame && management_frame) { packet = malloc(packet_len); if(packet) { memset((void *) packet, 0, packet_len); memcpy((void *) packet, radio_tap, radio_tap_len); memcpy((void *) ((char *) packet+radio_tap_len), dot11_frame, dot11_frame_len); memcpy((void *) ((char *) packet+radio_tap_len+dot11_frame_len), management_frame, management_frame_len); pcap_inject(get_handle(), packet, packet_len); free((void *) packet); } } if(radio_tap) free((void *) radio_tap); if(dot11_frame) free((void *) dot11_frame); if(management_frame) free((void *) management_frame); return; }
/* Deauthenticate ourselves from the AP */ void deauthenticate() { const void *radio_tap = NULL, *dot11_frame = NULL, *packet = NULL; size_t radio_tap_len = 0, dot11_frame_len = 0, packet_len = 0; radio_tap = build_radio_tap_header(&radio_tap_len); dot11_frame = build_dot11_frame_header(FC_DEAUTHENTICATE, &dot11_frame_len); packet_len = radio_tap_len + dot11_frame_len + DEAUTH_REASON_CODE_SIZE; if(radio_tap && dot11_frame) { packet = malloc(packet_len); if(packet) { memset((void *) packet, 0, packet_len); memcpy((void *) packet, radio_tap, radio_tap_len); memcpy((void *) ((char *) packet+radio_tap_len), dot11_frame, dot11_frame_len); memcpy((void *) ((char *) packet+radio_tap_len+dot11_frame_len), DEAUTH_REASON_CODE, DEAUTH_REASON_CODE_SIZE); pcap_inject(get_handle(), packet, packet_len); free((void *) packet); } } if(radio_tap) free((void *) radio_tap); if(dot11_frame) free((void *) dot11_frame); return; }
/* Authenticate ourselves with the AP */ static void authenticate(void) { size_t radio_tap_len, dot11_frame_len, management_frame_len, packet_len, offset; struct radio_tap_header radio_tap; struct dot11_frame_header dot11_frame; struct authentication_management_frame management_frame; radio_tap_len = build_radio_tap_header(&radio_tap); dot11_frame_len = build_dot11_frame_header(&dot11_frame, FC_AUTHENTICATE); management_frame_len = build_authentication_management_frame(&management_frame); packet_len = radio_tap_len + dot11_frame_len + management_frame_len; unsigned char packet[ sizeof (struct radio_tap_header) + sizeof (struct dot11_frame_header) + sizeof (struct authentication_management_frame)]; assert(packet_len == sizeof packet); offset = 0; memcpy(packet + offset, &radio_tap, radio_tap_len); offset += radio_tap_len; memcpy(packet + offset, &dot11_frame, dot11_frame_len); offset += dot11_frame_len; memcpy(packet + offset, &management_frame, management_frame_len); send_packet(packet, packet_len, 1); cprintf(VERBOSE, "[+] Sending authentication request\n"); }
/* Associate with the AP */ static void associate(void) { size_t radio_tap_len, dot11_frame_len, management_frame_len, ssid_tag_len, wps_tag_len, rates_tag_len, ht_tag_len, packet_len, offset = 0; struct radio_tap_header radio_tap; struct dot11_frame_header dot11_frame; struct association_request_management_frame management_frame; char *essid = get_ssid(); if(!essid) essid = ""; unsigned char ssid_tag[sizeof (struct tagged_parameter) + IW_ESSID_MAX_SIZE]; unsigned char rates_tag[128]; unsigned char wps_tag[sizeof (struct tagged_parameter) + WPS_TAG_SIZE]; unsigned char ht_tag[128]; radio_tap_len = build_radio_tap_header(&radio_tap); dot11_frame_len = build_dot11_frame_header(&dot11_frame, FC_ASSOCIATE); management_frame_len = build_association_management_frame(&management_frame); ssid_tag_len = build_ssid_tagged_parameter(ssid_tag, essid); rates_tag_len = build_supported_rates_tagged_parameter(rates_tag, sizeof rates_tag); wps_tag_len = build_wps_tagged_parameter(wps_tag); if(!NO_REPLAY_HTCAPS) { ht_tag_len = build_htcaps_parameter(ht_tag, sizeof ht_tag); } else { ht_tag_len = 0; } packet_len = radio_tap_len + dot11_frame_len + management_frame_len + ssid_tag_len + wps_tag_len + rates_tag_len + ht_tag_len; unsigned char packet[512]; assert(packet_len < sizeof packet); memcpy(packet, &radio_tap, radio_tap_len); offset += radio_tap_len; memcpy(packet+offset, &dot11_frame, dot11_frame_len); offset += dot11_frame_len; memcpy(packet+offset, &management_frame, management_frame_len); offset += management_frame_len; memcpy(packet+offset, ssid_tag, ssid_tag_len); offset += ssid_tag_len; memcpy(packet+offset, rates_tag, rates_tag_len); offset += rates_tag_len; memcpy(packet+offset, ht_tag, ht_tag_len); offset += ht_tag_len; memcpy(packet+offset, wps_tag, wps_tag_len); send_packet(packet, packet_len, 1); cprintf(VERBOSE, "[+] Sending association request\n"); }
const void *build_wps_probe_request(unsigned char *bssid, char *essid, size_t *len) { struct tagged_parameter ssid_tag = { 0 }; const void *rt_header = NULL, *dot11_header = NULL, *packet = NULL; size_t offset = 0, rt_len = 0, dot11_len = 0, ssid_tag_len = 0, packet_len = 0; if(essid != NULL) { ssid_tag.len = (uint8_t) strlen(essid); } else { ssid_tag.len = 0; } ssid_tag.number = SSID_TAG_NUMBER; ssid_tag_len = ssid_tag.len + sizeof(struct tagged_parameter); rt_header = build_radio_tap_header(&rt_len); dot11_header = build_dot11_frame_header(FC_PROBE_REQUEST, &dot11_len); if(rt_header && dot11_header) { packet_len = rt_len + dot11_len + ssid_tag_len + WPS_PROBE_IE_SIZE; packet = malloc(packet_len); if(packet) { memset((void *) packet, 0, packet_len); memcpy((void *) packet, rt_header, rt_len); offset += rt_len; memcpy((void *) ((char *) packet+offset), dot11_header, dot11_len); offset += dot11_len; memcpy((void *) ((char *) packet+offset), (void *) &ssid_tag, sizeof(ssid_tag)); offset += sizeof(ssid_tag); memcpy((void *) ((char *) packet+offset), essid, ssid_tag.len); offset += ssid_tag.len; memcpy((void *) ((char *) packet+offset), WPS_PROBE_IE, WPS_PROBE_IE_SIZE); offset += WPS_PROBE_IE_SIZE; *len = packet_len; } } if(rt_header) free((void *) rt_header); if(dot11_header) free((void *) dot11_header); return packet; }
/* Associate with the AP */ void associate() { const void *radio_tap = NULL, *dot11_frame = NULL, *management_frame = NULL, *ssid_tag = NULL, *wps_tag = NULL, *rates_tag = NULL, *packet = NULL; size_t radio_tap_len = 0, dot11_frame_len = 0, management_frame_len = 0, ssid_tag_len = 0, wps_tag_len = 0, rates_tag_len = 0, packet_len = 0, offset = 0; radio_tap = build_radio_tap_header(&radio_tap_len); dot11_frame = build_dot11_frame_header(FC_ASSOCIATE, &dot11_frame_len); management_frame = build_association_management_frame(&management_frame_len); ssid_tag = build_ssid_tagged_parameter(&ssid_tag_len); rates_tag = build_supported_rates_tagged_parameter(&rates_tag_len); wps_tag = build_wps_tagged_parameter(&wps_tag_len); packet_len = radio_tap_len + dot11_frame_len + management_frame_len + ssid_tag_len + wps_tag_len + rates_tag_len; if(radio_tap && dot11_frame && management_frame && ssid_tag && wps_tag && rates_tag) { packet = malloc(packet_len); if(packet) { memset((void *) packet, 0, packet_len); memcpy((void *) packet, radio_tap, radio_tap_len); offset += radio_tap_len; memcpy((void *) ((char *) packet+offset), dot11_frame, dot11_frame_len); offset += dot11_frame_len; memcpy((void *) ((char *) packet+offset), management_frame, management_frame_len); offset += management_frame_len; memcpy((void *) ((char *) packet+offset), ssid_tag, ssid_tag_len); offset += ssid_tag_len; memcpy((void *) ((char *) packet+offset), rates_tag, rates_tag_len); offset += rates_tag_len; memcpy((void *) ((char *) packet+offset), wps_tag, wps_tag_len); pcap_inject(get_handle(), packet, packet_len); free((void *) packet); } } if(radio_tap) free((void *) radio_tap); if(dot11_frame) free((void *) dot11_frame); if(management_frame) free((void *) management_frame); if(ssid_tag) free((void *) ssid_tag); if(wps_tag) free((void *) wps_tag); if(rates_tag) free((void *) rates_tag); return; }
/* Deauthenticate ourselves from the AP */ static void deauthenticate(void) { size_t radio_tap_len, dot11_frame_len, packet_len, offset = 0; struct radio_tap_header radio_tap; struct dot11_frame_header dot11_frame; radio_tap_len = build_radio_tap_header(&radio_tap); dot11_frame_len = build_dot11_frame_header(&dot11_frame, FC_DEAUTHENTICATE); packet_len = radio_tap_len + dot11_frame_len + DEAUTH_REASON_CODE_SIZE; unsigned char packet[sizeof radio_tap + sizeof dot11_frame + DEAUTH_REASON_CODE_SIZE]; assert(sizeof packet == packet_len); memcpy(packet, &radio_tap, radio_tap_len); offset += radio_tap_len; memcpy(packet + offset, &dot11_frame, dot11_frame_len); offset += dot11_frame_len; memcpy(packet + offset, DEAUTH_REASON_CODE, DEAUTH_REASON_CODE_SIZE); send_packet(packet, packet_len, 1); }