int main(int argc, char **argv)
{
if (argc < 1) return 1;
static unsigned char expected[PLEN] =
"\x1d\x4d\xf5\x5d\xd8\xd9\x13\xf5\x54\x0d\x05\x3c\xdb\x57\x83\x53"
"\xd0\x6c\x0f\xb3\x50\x71\x10\xee\x48\xda\xce\x2b\x60\xf6\xd0\xd4"
"\xc2\x24\x39\x9f\xe8\x1d\x1e\x80";
static char key[KLEN] =
"\x6E\x9C\x7A\x91\x9F\xB8\xAE\x93\xC1\xAB\x80\x3C\x09\x00";
static char essid[8] = "T3st1ng";
unsigned char pmk[PLEN];
printf("Calc try\n");
calc_pmk( key, essid, pmk );
hexdump(pmk, PLEN);
printf("-----------------\n");
printf("Expected\n");
hexdump(expected, PLEN);
printf("-----------------\n");
}
// sql function. takes ESSID and PASSWD, gives PMK
void sql_calcpmk(sqlite3_context* context, int argc, sqlite3_value** values) {
unsigned char pmk[40];
char* passwd = (char*)sqlite3_value_blob(values[1]);
char* essid = (char*)sqlite3_value_blob(values[0]);
if (argc < 2 || passwd == 0 || essid == 0) {
sqlite3_result_error(context, "SQL function PMK() called with invalid arguments.\n", -1);
return;
}
calc_pmk(passwd,essid,pmk);
sqlite3_result_blob(context,pmk,32,SQLITE_TRANSIENT);
}
void prof_pmk(char *essid)
{
TIME_STRUCT p1,p2;
char key[16][128];
unsigned char pmk_sol[16][40];
unsigned char pmk_fast[16][40];
int i,j;
for(i=0;i<16;i++)
{
strcpy(key[i],"atest");
key[i][0]+=i;
}
p1 = t_start();
for(i=0;i<16;i++)
calc_pmk(key[i],essid,pmk_sol[i]); //key값과 essid로부터 pmk 값을 계산함
t_end(&p1);
p2 = t_start();
calc_16pmk(key,essid,pmk_fast);
t_end(&p2);
//diff
for(i=0;i<16;i++)
{
if(memcmp(pmk_sol[i],pmk_fast[i],sizeof(pmk_sol[i])) != 0)
{
printf("* %d wrong case (key:%s)\n",i,key[i]);
dump_key("pmk_sol",pmk_sol[i],sizeof(pmk_sol[i]));
dump_key("pmk_fst",pmk_fast[i],sizeof(pmk_fast[i]));
}
}
printf("original : %0.2lf ms\n",t_get(p1)/1000);
printf("simd ver : %0.2lf ms\n",t_get(p2)/1000);
printf("performance : x%0.2lf\n",t_get(p1)/t_get(p2));
}
void* crack_cpu_thread(void *arg)
{
char essid[32];
char key[128];
uchar pmk[40];
uchar pke[100];
uchar ptk[80];
uchar mic[20];
ck_td_struct* ck_td_arg = (ck_td_struct*)arg;
wpa_hdsk* phdsk = ck_td_arg->phdsk;
int cpu_core_id = ck_td_arg->cpu_core_id;
float* calc_speed = ck_td_arg->calc_speed;
char* final_key = ck_td_arg->final_key;
char* final_key_flag = ck_td_arg->final_key_flag;
memset(essid, 0, sizeof(essid));
memcpy(essid, ck_td_arg->essid, 32);
pthread_t tid;
tid = pthread_self();
int i = 0;
unsigned long cnt = 0;
int cnt_int = 250;
struct timeval tnow;
struct timeval tlast;
int flag = 0;
pwd_range range;
unsigned long cur_key_digit;
// set cpu affinity
if (ck_td_arg->set_affinity)
{
cpu_set_t set;
CPU_ZERO(&set);
CPU_SET(cpu_core_id, &set);
flag = pthread_setaffinity_np(tid, sizeof(cpu_set_t), &set);
if (flag)
printf("thread %u set setaffinity failed: %s\n", (unsigned)tid, strerror(flag));
}
// do the calculation
while (1)
{
// get the password range
range = fetch_pwd('c', NULL, NULL);
if (range.start == -1)
break;
// loop through each key in range
for (cur_key_digit = range.start; cur_key_digit <= range.end; ++cur_key_digit)
{
// calculate the calculation speed
if (cnt == 0)
gettimeofday(&tlast, NULL);
else if (cnt%cnt_int == 0)
{
gettimeofday(&tnow, NULL);
calc_speed[cpu_core_id] = 1.0*cnt_int/(tnow.tv_sec-tlast.tv_sec+(tnow.tv_usec-tlast.tv_usec)*0.000001);
gettimeofday(&tlast, NULL);
}
cnt++;
// reset variables
memset(key, 0, sizeof(key));
memset(pmk, 0, sizeof(pmk));
memset(pke, 0, sizeof(pke));
memset(ptk, 0, sizeof(ptk));
memset(mic, 0, sizeof(mic));
// convert the key from digit to string
sprintf(key, "%08lu", cur_key_digit);
// calculate the PMK
calc_pmk(key, essid, pmk);
// pre-compute the key expansion buffer
memcpy(pke, "Pairwise key expansion", 23);
if (memcmp(phdsk->smac, phdsk->amac, 6) < 0)
{
memcpy(pke+23, phdsk->smac, 6);
memcpy(pke+29, phdsk->amac, 6);
}
else
{
memcpy(pke+23, phdsk->amac, 6);
memcpy(pke+29, phdsk->smac, 6);
}
if (memcmp(phdsk->snonce, phdsk->anonce, 32) < 0)
{
memcpy(pke+35, phdsk->snonce, 32);
memcpy(pke+67, phdsk->anonce, 32);
}
else
{
memcpy(pke+35, phdsk->anonce, 32);
memcpy(pke+67, phdsk->snonce, 32);
}
// calculate the PTK
for (i=0; i<4; i++)
{
pke[99] = i;
HMAC(EVP_sha1(), pmk, 32, pke, 100, ptk + i*20, NULL);
}
// calculate the MIC
if (phdsk->keyver == 1)
HMAC(EVP_md5(), ptk, 16, phdsk->eapol, phdsk->eapol_size, mic, NULL);
else
HMAC(EVP_sha1(), ptk, 16, phdsk->eapol, phdsk->eapol_size, mic, NULL);
// check if MIC agrees
if (memcmp(mic, phdsk->keymic, 16) == 0)
{
memcpy(final_key, key, strlen(key));
*final_key_flag = 1;
break;
}
}
// check if the final key is found
if (*final_key_flag)
break;
}
calc_speed[cpu_core_id] = -1; // this indicates the thread is returned
return NULL;
}
int main( int argc, char *argv[] )
{
time_t tt;
uint magic;
char *s, buf[128];
FILE *f_in, *f_out, *f_bad=NULL;
unsigned long crc;
int i = 0, n, linktype;
uint z;
uchar ZERO[32], *h80211;
uchar bssid[6], stmac[6];
struct WPA_ST_info *st_1st;
struct WPA_ST_info *st_cur;
struct WPA_ST_info *st_prv;
struct pcap_file_header pfh;
struct pcap_pkthdr pkh;
#ifdef USE_GCRYPT
// Disable secure memory.
gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
// Tell Libgcrypt that initialization has completed.
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
#endif
/* parse the arguments */
memset( ZERO, 0, sizeof( ZERO ) );
memset( &opt, 0, sizeof( opt ) );
while( 1 )
{
int option_index = 0;
static struct option long_options[] = {
{"bssid", 1, 0, 'b'},
{"debug", 1, 0, 'd'},
{"help", 0, 0, 'H'},
{0, 0, 0, 0 }
};
int option = getopt_long( argc, argv, "lb:k:e:p:w:H",
long_options, &option_index );
if( option < 0 ) break;
switch( option )
{
case ':' :
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
case '?' :
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
case 'l' :
opt.no_convert = 1;
break;
case 'b' :
i = 0;
s = optarg;
while( sscanf( s, "%x", &n ) == 1 )
{
if( n < 0 || n > 255 )
{
printf( "Invalid BSSID (not a MAC).\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
opt.bssid[i] = n;
if( ++i >= 6 ) break;
if( ! ( s = strchr( s, ':' ) ) )
break;
s++;
}
if( i != 6 )
{
printf( "Invalid BSSID (not a MAC).\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
break;
case 'k' :
if( opt.crypt != CRYPT_NONE )
{
printf( "Encryption key already specified.\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
opt.crypt = CRYPT_WPA;
i = 0;
s = optarg;
buf[0] = s[0];
buf[1] = s[1];
buf[2] = '\0';
while( sscanf( buf, "%x", &n ) == 1 )
{
if( n < 0 || n > 255 )
{
printf( "Invalid WPA PMK.\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
opt.pmk[i++] = n;
if( i >= 32 ) break;
s += 2;
if( s[0] == ':' || s[0] == '-' )
s++;
if( s[0] == '\0' || s[1] == '\0' )
break;
buf[0] = s[0];
buf[1] = s[1];
}
if( i != 32 )
{
printf( "Invalid WPA PMK.\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
break;
case 'e' :
if ( opt.essid[0])
{
printf( "ESSID already specified.\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
memset( opt.essid, 0, sizeof( opt.essid ) );
strncpy( opt.essid, optarg, sizeof( opt.essid ) - 1 );
break;
case 'p' :
if( opt.crypt != CRYPT_NONE )
{
printf( "Encryption key already specified.\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
opt.crypt = CRYPT_WPA;
memset( opt.passphrase, 0, sizeof( opt.passphrase ) );
strncpy( opt.passphrase, optarg, sizeof( opt.passphrase ) - 1 );
break;
case 'w' :
if( opt.crypt != CRYPT_NONE )
{
printf( "Encryption key already specified.\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
opt.crypt = CRYPT_WEP;
i = 0;
s = optarg;
buf[0] = s[0];
buf[1] = s[1];
buf[2] = '\0';
while( sscanf( buf, "%x", &n ) == 1 )
{
if( n < 0 || n > 255 )
{
printf( "Invalid WEP key.\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
opt.wepkey[i++] = n;
if( i >= 64 ) break;
s += 2;
if( s[0] == ':' || s[0] == '-' )
s++;
if( s[0] == '\0' || s[1] == '\0' )
break;
buf[0] = s[0];
buf[1] = s[1];
}
if( i != 5 && i != 13 && i != 16 && i != 29 && i != 61 )
{
printf( "Invalid WEP key length. [5,13,16,29,61]\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
opt.weplen = i;
break;
case 'H' :
printf( usage, getVersion("Airdecap-ng", _MAJ, _MIN, _SUB_MIN, _REVISION, _BETA, _RC));
return( 1 );
default : goto usage;
}
}
if( argc - optind != 1 )
{
if(argc == 1)
{
usage:
printf( usage, getVersion("Airdecap-ng", _MAJ, _MIN, _SUB_MIN, _REVISION, _BETA, _RC));
}
if( argc - optind == 0)
{
printf("No file to decrypt specified.\n");
}
if(argc > 1)
{
printf("\"%s --help\" for help.\n", argv[0]);
}
return( 1 );
}
if( opt.crypt == CRYPT_WPA )
{
if( opt.passphrase[0] != '\0' )
{
/* compute the Pairwise Master Key */
if( opt.essid[0] == '\0' )
{
printf( "You must also specify the ESSID (-e).\n" );
printf("\"%s --help\" for help.\n", argv[0]);
return( 1 );
}
calc_pmk( opt.passphrase, opt.essid, opt.pmk );
}
}
/* open the input and output pcap files */
if( ( f_in = fopen( argv[optind], "rb" ) ) == NULL )
{
perror( "fopen failed\n" );
printf( "Could not open \"%s\".\n", argv[optind] );
return( 1 );
}
n = sizeof( pfh );
if( fread( &pfh, 1, n, f_in ) != (size_t) n )
{
perror( "fread(pcap file header) failed" );
return( 1 );
}
if( pfh.magic != TCPDUMP_MAGIC &&
pfh.magic != TCPDUMP_CIGAM )
{
printf( "\"%s\" isn't a pcap file (expected "
"TCPDUMP_MAGIC).\n", argv[optind] );
return( 1 );
}
if( ( magic = pfh.magic ) == TCPDUMP_CIGAM )
SWAP32( pfh.linktype );
if( pfh.linktype != LINKTYPE_IEEE802_11 &&
pfh.linktype != LINKTYPE_PRISM_HEADER &&
pfh.linktype != LINKTYPE_RADIOTAP_HDR &&
pfh.linktype != LINKTYPE_PPI_HDR )
{
printf( "\"%s\" isn't a regular 802.11 "
"(wireless) capture.\n", argv[optind] );
return( 1 );
}
linktype = pfh.linktype;
n = strlen( argv[optind] );
if( n > 4 && ( n + 5 < (int) sizeof( buffer ) ) &&
argv[optind][n - 4] == '.' )
{
memcpy( buffer , argv[optind], n - 4 );
memcpy( buffer2, argv[optind], n - 4 );
memcpy( buffer + n - 4, "-dec", 4 );
memcpy( buffer2 + n - 4, "-bad", 4 );
memcpy( buffer + n, argv[optind] + n - 4, 5 );
memcpy( buffer2 + n, argv[optind] + n - 4, 5 );
}
else
{
if( n > 5 && ( n + 6 < (int) sizeof( buffer ) ) &&
argv[optind][n - 5] == '.' )
{
memcpy( buffer , argv[optind], n - 5 );
memcpy( buffer2, argv[optind], n - 5 );
memcpy( buffer + n - 5, "-dec", 4 );
memcpy( buffer2 + n - 5, "-bad", 4 );
memcpy( buffer + n - 1, argv[optind] + n - 5, 6 );
memcpy( buffer2 + n - 1, argv[optind] + n - 5, 6 );
}
else
{
memset( buffer , 0, sizeof( buffer ) );
memset( buffer2, 0, sizeof( buffer ) );
snprintf( (char *) buffer , sizeof( buffer ) - 1,
"%s-dec", argv[optind] );
snprintf( (char *) buffer2, sizeof( buffer ) - 1,
"%s-bad", argv[optind] );
}
}
if( opt.crypt == CRYPT_WEP && opt.no_convert == 1 )
{
opt.store_bad=1;
}
if( ( f_out = fopen( (char *) buffer, "wb+" ) ) == NULL )
{
perror( "fopen failed" );
printf( "Could not create \"%s\".\n", buffer );
return( 1 );
}
if(opt.store_bad)
{
if( ( f_bad = fopen( (char *) buffer2, "wb+" ) ) == NULL )
{
perror( "fopen failed" );
printf( "Could not create \"%s\".\n", buffer2 );
return( 1 );
}
}
pfh.magic = TCPDUMP_MAGIC;
pfh.version_major = PCAP_VERSION_MAJOR;
pfh.version_minor = PCAP_VERSION_MINOR;
pfh.thiszone = 0;
pfh.sigfigs = 0;
pfh.snaplen = 65535;
pfh.linktype = ( opt.no_convert ) ?
LINKTYPE_IEEE802_11 :
LINKTYPE_ETHERNET;
n = sizeof( pfh );
if( fwrite( &pfh, 1, n, f_out ) != (size_t) n )
{
perror( "fwrite(pcap file header) failed" );
return( 1 );
}
if(opt.store_bad)
{
if( fwrite( &pfh, 1, n, f_bad ) != (size_t) n )
{
perror( "fwrite(pcap file header) failed" );
return( 1 );
}
}
/* loop reading and deciphering the packets */
memset( &stats, 0, sizeof( stats ) );
tt = time( NULL );
st_1st = NULL;
while( 1 )
{
if( time( NULL ) - tt > 0 )
{
/* update the status line every second */
printf( "\33[KRead %ld packets...\r", stats.nb_read );
fflush( stdout );
tt = time( NULL );
}
/* read one packet */
n = sizeof( pkh );
if( fread( &pkh, 1, n, f_in ) != (size_t) n )
break;
if( magic == TCPDUMP_CIGAM ) {
SWAP32( pkh.caplen );
SWAP32( pkh.len );
}
n = pkh.caplen;
if( n <= 0 || n > 65535 )
{
printf( "Corrupted file? Invalid packet length %d.\n", n );
break;
}
if( fread( buffer, 1, n, f_in ) != (size_t) n )
break;
stats.nb_read++;
h80211 = buffer;
if( linktype == LINKTYPE_PRISM_HEADER )
{
/* remove the prism header */
if( h80211[7] == 0x40 )
n = 64; /* prism54 */
else
{
n = *(int *)( h80211 + 4 );
if( magic == TCPDUMP_CIGAM )
SWAP32( n );
}
if( n < 8 || n >= (int) pkh.caplen )
continue;
h80211 += n; pkh.caplen -= n;
}
if( linktype == LINKTYPE_RADIOTAP_HDR )
{
/* remove the radiotap header */
n = *(unsigned short *)( h80211 + 2 );
if( n <= 0 || n >= (int) pkh.caplen )
continue;
h80211 += n; pkh.caplen -= n;
}
if( linktype == LINKTYPE_PPI_HDR )
{
/* Remove the PPI header */
n = le16_to_cpu(*(unsigned short *)( h80211 + 2));
if( n <= 0 || n>= (int) pkh.caplen )
continue;
/* for a while Kismet logged broken PPI headers */
if ( n == 24 && le16_to_cpu(*(unsigned short *)(h80211 + 8)) == 2 )
n = 32;
if( n <= 0 || n>= (int) pkh.caplen )
continue;
h80211 += n; pkh.caplen -= n;
}
/* remove the FCS if present (madwifi) */
if( check_crc_buf( h80211, pkh.caplen - 4 ) == 1 )
{
pkh.len -= 4;
pkh.caplen -= 4;
}
/* check if data */
if( ( h80211[0] & 0x0C ) != 0x08 )
continue;
/* check minimum size */
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
if( z + 16 > pkh.caplen )
continue;
/* check QoS header */
if ( GET_SUBTYPE(h80211[0]) == IEEE80211_FC0_SUBTYPE_QOS ) {
z += 2;
}
/* check the BSSID */
switch( h80211[1] & 3 )
{
case 0: memcpy( bssid, h80211 + 16, 6 ); break; //Adhoc
case 1: memcpy( bssid, h80211 + 4, 6 ); break; //ToDS
case 2: memcpy( bssid, h80211 + 10, 6 ); break; //FromDS
case 3: memcpy( bssid, h80211 + 10, 6 ); break; //WDS -> Transmitter taken as BSSID
}
if( memcmp( opt.bssid, ZERO, 6 ) != 0 )
if( memcmp( opt.bssid, bssid, 6 ) != 0 )
continue;
/* locate the station's MAC address */
switch( h80211[1] & 3 )
{
case 1: memcpy( stmac, h80211 + 10, 6 ); break;
case 2: memcpy( stmac, h80211 + 4, 6 ); break;
case 3: memcpy( stmac, h80211 + 10, 6 ); break;
default: continue;
}
st_prv = NULL;
st_cur = st_1st;
while( st_cur != NULL )
{
if( ! memcmp( st_cur->stmac, stmac, 6 ) )
break;
st_prv = st_cur;
st_cur = st_cur->next;
}
/* if it's a new station, add it */
if( st_cur == NULL )
{
if( ! ( st_cur = (struct WPA_ST_info *) malloc(
sizeof( struct WPA_ST_info ) ) ) )
{
perror( "malloc failed" );
break;
}
memset( st_cur, 0, sizeof( struct WPA_ST_info ) );
if( st_1st == NULL )
st_1st = st_cur;
else
st_prv->next = st_cur;
memcpy( st_cur->stmac, stmac, 6 );
memcpy( st_cur->bssid, bssid, 6 );
}
/* check if we haven't already processed this packet */
crc = calc_crc_buf( h80211 + z, pkh.caplen - z );
if( ( h80211[1] & 3 ) == 2 )
{
if( st_cur->t_crc == crc )
continue;
st_cur->t_crc = crc;
}
else
{
if( st_cur->f_crc == crc )
continue;
st_cur->f_crc = crc;
}
/* check the SNAP header to see if data is encrypted *
* as unencrypted data begins with AA AA 03 00 00 00 */
if( h80211[z] != h80211[z + 1] || h80211[z + 2] != 0x03 )
{
/* check the extended IV flag */
if( ( h80211[z + 3] & 0x20 ) == 0 )
{
uchar K[64];
stats.nb_wep++;
if( opt.crypt != CRYPT_WEP )
continue;
memcpy( K, h80211 + z, 3 );
memcpy( K + 3, opt.wepkey, opt.weplen );
if(opt.store_bad)
memcpy(buffer2, h80211, pkh.caplen);
if( decrypt_wep( h80211 + z + 4, pkh.caplen - z - 4,
K, 3 + opt.weplen ) == 0 )
{
if(opt.store_bad)
{
stats.nb_bad++;
memcpy(h80211, buffer2, pkh.caplen);
if( write_packet( f_bad, &pkh, h80211 ) != 0 )
break;
}
continue;
}
/* WEP data packet was successfully decrypted, *
* remove the WEP IV & ICV and write the data */
pkh.len -= 8;
pkh.caplen -= 8;
memmove( h80211 + z, h80211 + z + 4, pkh.caplen - z );
stats.nb_unwep++;
h80211[1] &= 0xBF;
if( write_packet( f_out, &pkh, h80211 ) != 0 )
break;
}
else
{
stats.nb_wpa++;
if( opt.crypt != CRYPT_WPA )
continue;
/* if the PTK is valid, try to decrypt */
if( st_cur == NULL || ! st_cur->valid_ptk )
continue;
if( st_cur->keyver == 1 )
{
if( decrypt_tkip( h80211, pkh.caplen,
st_cur->ptk + 32 ) == 0 )
continue;
pkh.len -= 20;
pkh.caplen -= 20;
}
else
{
if( decrypt_ccmp( h80211, pkh.caplen,
st_cur->ptk + 32 ) == 0 )
continue;
pkh.len -= 16;
pkh.caplen -= 16;
}
/* WPA data packet was successfully decrypted, *
* remove the WPA Ext.IV & MIC, write the data */
/* can overlap */
memmove( h80211 + z, h80211 + z + 8, pkh.caplen - z );
stats.nb_unwpa++;
h80211[1] &= 0xBF;
if( write_packet( f_out, &pkh, h80211 ) != 0 )
break;
}
}
else
{
/* check ethertype == EAPOL */
z += 6;
if( h80211[z] != 0x88 || h80211[z + 1] != 0x8E )
{
stats.nb_plain++;
if( opt.crypt != CRYPT_NONE )
continue;
if( write_packet( f_out, &pkh, h80211 ) != 0 )
break;
else
continue;
}
z += 2;
/* type == 3 (key), desc. == 254 (WPA) or 2 (RSN) */
if( h80211[z + 1] != 0x03 ||
( h80211[z + 4] != 0xFE && h80211[z + 4] != 0x02 ) )
continue;
/* frame 1: Pairwise == 1, Install == 0, Ack == 1, MIC == 0 */
if( ( h80211[z + 6] & 0x08 ) != 0 &&
( h80211[z + 6] & 0x40 ) == 0 &&
( h80211[z + 6] & 0x80 ) != 0 &&
( h80211[z + 5] & 0x01 ) == 0 )
{
/* set authenticator nonce */
memcpy( st_cur->anonce, &h80211[z + 17], 32 );
}
/* frame 2 or 4: Pairwise == 1, Install == 0, Ack == 0, MIC == 1 */
if( ( h80211[z + 6] & 0x08 ) != 0 &&
( h80211[z + 6] & 0x40 ) == 0 &&
( h80211[z + 6] & 0x80 ) == 0 &&
( h80211[z + 5] & 0x01 ) != 0 )
{
if( memcmp( &h80211[z + 17], ZERO, 32 ) != 0 )
{
/* set supplicant nonce */
memcpy( st_cur->snonce, &h80211[z + 17], 32 );
}
/* copy the MIC & eapol frame */
st_cur->eapol_size = ( h80211[z + 2] << 8 )
+ h80211[z + 3] + 4;
if (pkh.len - z < st_cur->eapol_size || st_cur->eapol_size == 0 ||
st_cur->eapol_size > sizeof(st_cur->eapol))
{
// Ignore the packet trying to crash us.
st_cur->eapol_size = 0;
continue;
}
memcpy( st_cur->keymic, &h80211[z + 81], 16 );
memcpy( st_cur->eapol, &h80211[z], st_cur->eapol_size );
memset( st_cur->eapol + 81, 0, 16 );
/* copy the key descriptor version */
st_cur->keyver = h80211[z + 6] & 7;
}
/* frame 3: Pairwise == 1, Install == 1, Ack == 1, MIC == 1 */
if( ( h80211[z + 6] & 0x08 ) != 0 &&
( h80211[z + 6] & 0x40 ) != 0 &&
( h80211[z + 6] & 0x80 ) != 0 &&
( h80211[z + 5] & 0x01 ) != 0 )
{
if( memcmp( &h80211[z + 17], ZERO, 32 ) != 0 )
{
/* set authenticator nonce */
memcpy( st_cur->anonce, &h80211[z + 17], 32 );
}
/* copy the MIC & eapol frame */
st_cur->eapol_size = ( h80211[z + 2] << 8 )
+ h80211[z + 3] + 4;
if (pkh.len - z < st_cur->eapol_size || st_cur->eapol_size == 0 ||
st_cur->eapol_size > sizeof(st_cur->eapol))
{
// Ignore the packet trying to crash us.
st_cur->eapol_size = 0;
continue;
}
memcpy( st_cur->keymic, &h80211[z + 81], 16 );
memcpy( st_cur->eapol, &h80211[z], st_cur->eapol_size );
memset( st_cur->eapol + 81, 0, 16 );
/* copy the key descriptor version */
st_cur->keyver = h80211[z + 6] & 7;
}
st_cur->valid_ptk = calc_ptk( st_cur, opt.pmk );
}
}
fclose( f_in );
fclose( f_out );
if(opt.store_bad)
fclose( f_bad );
/* write some statistics */
printf( "\33[KTotal number of packets read % 8ld\n"
"Total number of WEP data packets % 8ld\n"
"Total number of WPA data packets % 8ld\n"
"Number of plaintext data packets % 8ld\n"
"Number of decrypted WEP packets % 8ld\n"
"Number of corrupted WEP packets % 8ld\n"
"Number of decrypted WPA packets % 8ld\n",
stats.nb_read, stats.nb_wep, stats.nb_wpa,
stats.nb_plain, stats.nb_unwep, stats.nb_bad, stats.nb_unwpa );
return( 0 );
}
