static void process_beacon(struct ieee80211_frame * wh, int totlen)
{
REQUIRE(wh != NULL);
unsigned char * p = (unsigned char *) (wh + 1);
int bhlen = 8 + 2 + 2;
int len = totlen;
char ssid[256];
int wpa = 0;
int rc;
int ssids = 0;
int hidden = 0;
struct network * n;
totlen -= sizeof(*wh);
if (totlen < bhlen) goto __bad;
if (!(IEEE80211_BEACON_CAPABILITY(p) & IEEE80211_CAPINFO_PRIVACY)) return;
p += bhlen;
totlen -= bhlen;
ssid[0] = 0;
while (totlen > 2)
{
int id = *p++;
int l = *p++;
totlen -= 2;
if (totlen < l) goto __bad;
switch (id)
{
case IEEE80211_ELEMID_SSID:
if (++ssids > 1) break;
if (l == 0 || p[0] == 0)
hidden = 1;
else
{
memcpy(ssid, p, l);
ssid[l] = 0;
}
break;
case IEEE80211_ELEMID_VENDOR:
if ((rc = parse_elem_vendor(&p[-2], l + 2)) == -1) goto __bad;
if (rc) wpa = 1;
break;
case IEEE80211_ELEMID_RSN:
if ((rc = parse_rsn(p, l, 1)) == -1) goto __bad;
if (rc) wpa = 1;
break;
}
p += l;
totlen -= l;
}
if (!wpa) return;
n = find_add_net(wh->i_addr3);
if (n->n_beaconlen) return;
n->n_beaconlen = len;
ALLEGE(n->n_beaconlen <= (int) sizeof(n->n_beacon));
memcpy(n->n_beacon, wh, n->n_beaconlen);
strncpy(n->n_ssid, ssid, sizeof(n->n_ssid));
(n->n_ssid)[sizeof(n->n_ssid) - 1] = '\0';
check_network(n);
return;
__bad:
printf("bad beacon\n");
}
static int get_victim_ssid(struct wstate *ws, struct ieee80211_frame* wh,
int len)
{
unsigned char* ptr;
int x;
int gots = 0, gotc = 0;
if (len <= (int) sizeof(*wh)) {
time_print("Warning: short packet in get_victim_ssid()\n");
return 0;
}
ptr = (unsigned char*)wh + sizeof(*wh);
len -= sizeof(*wh);
// only wep baby
if ( !(IEEE80211_BEACON_CAPABILITY(ptr) & IEEE80211_CAPINFO_PRIVACY)) {
return 0;
}
// we want a specific victim
if (ws->ws_victim_mac) {
if (memcmp(wh->i_addr3, ws->ws_victim_mac, 6) != 0)
return 0;
}
// beacon header
x = 8 + 2 + 2;
if (len <= x) {
time_print("Warning short.\n");
return 0;
}
ptr += x;
len -= x;
// SSID
while(len > 2) {
int eid, elen;
eid = *ptr;
ptr++;
elen = *ptr;
ptr++;
len -= 2;
if (len < elen) {
time_print("Warning short....\n");
return 0;
}
// ssid
if (eid == 0) {
if (ws->ws_ssid)
free(ws->ws_ssid);
ws->ws_ssid = (char*) malloc(elen + 1);
if (!ws->ws_ssid) {
perror("malloc()");
exit(1);
}
memcpy(ws->ws_ssid, ptr, elen);
ws->ws_ssid[elen] = 0;
gots = 1;
}
// chan
else if(eid == 3) {
if( elen != 1) {
time_print("Warning len of chan not 1\n");
return 0;
}
ws->ws_apchan = *ptr;
gotc = 1;
}
ptr += elen;
len -= elen;
}
if (gots && gotc) {
memcpy(ws->ws_bss, wh->i_addr3, 6);
set_chan(ws, ws->ws_apchan);
ws->ws_state = FOUND_VICTIM;
time_print("Found SSID(%s) BSS=(%s) chan=%d\n",
ws->ws_ssid, mac2str(ws->ws_bss), ws->ws_apchan);
return 1;
}
return 0;
}
void get_beacon_info(unsigned char* data, int rd,
struct node_info* node) {
int blen = 8 + 2 + 2;
strcpy(node->ssid, "<hidden>");
node->chan = 0;
node->wep = CRYPT_NONE;
assert(rd >= blen);
if (IEEE80211_BEACON_CAPABILITY(data) & IEEE80211_CAPINFO_PRIVACY)
node->wep = CRYPT_WEP;
data += blen;
rd -= blen;
while (rd > 2) {
int eid, elen;
eid = *data;
data++;
elen = *data;
data++;
rd -= 2;
// short!
if (rd < elen) {
return;
}
// ssid
if (eid == 0) {
if (elen == 1 && data[0] == 0) {
// hidden
}
else {
memcpy(node->ssid, data, elen);
node->ssid[elen] = 0;
}
}
// chan
else if(eid == 3) {
// weird chan!
if( elen != 1)
goto next;
node->chan = *data;
}
// WPA
else if (eid == 221 && node->wep == CRYPT_WEP) {
struct ieee80211_ie_wpa* wpa;
wpa = (struct ieee80211_ie_wpa*) data;
if (elen < 6)
goto next;
if (!memcmp(wpa->wpa_oui, "\x00\x50\xf2", 3)) {
// node->wep = CRYPT_WPA;
}
else
goto next;
if (wpa->wpa_type == WPA_OUI_TYPE &&
le16toh(wpa->wpa_version) == WPA_VERSION) {
int cipher, auth;
unsigned char* ptr;
node->wep = CRYPT_WPA1;
if (elen < 12)
goto next;
cipher = ((unsigned char*) wpa->wpa_mcipher)[3];
ptr = (unsigned char*)wpa + 12 +
4 * le16toh(wpa->wpa_uciphercnt);
if (elen < (ptr - data + 6))
goto next;
if ( *((unsigned short*) ptr) == 0)
goto next;
ptr += 2 + 3;
auth = *ptr;
if (cipher == WPA_CSE_TKIP) {
node->wep = CRYPT_WPA1_TKIP;
if (auth == WPA_ASE_8021X_PSK)
node->wep = CRYPT_WPA1_TKIP_PSK;
}
if (cipher == WPA_CSE_CCMP) {
node->wep = CRYPT_WPA1_CCMP;
if (auth == WPA_ASE_8021X_PSK)
node->wep = CRYPT_WPA1_CCMP_PSK;
}
}
}
else if (eid == 48 && node->wep == CRYPT_WEP) {
unsigned char* ptr;
// XXX no bounds checking
ptr = data;
if (ptr[0] == 1 && ptr[1] == 0) {
unsigned short* count;
int cipher = 0;
ptr += 2;
node->wep = CRYPT_80211i;
if (!memcmp(ptr, "\x00\x0f\xac\x02", 4)) {
node->wep = CRYPT_80211i_TKIP;
cipher = 1;
}
ptr += 4;
count = (unsigned short*) ptr;
ptr +=2 + *count*4;
count = (unsigned short*) ptr;
if (*count) {
ptr += 2;
if (!memcmp(ptr,"\x00\x0f\xac\x02", 4)) {
if (cipher)
node->wep = CRYPT_80211i_TKIP_PSK;
}
}
}
}
next:
data += elen;
rd -= elen;
}
}
