/*
* Queries the database for the public / private keypair that matches the fingerprint stored in certinfo.
* If found, the certificate / key members of the keymaster struct are populated accordingly.
* Returns 1 on success, 0 on failure.
*/
int lookup_key(struct keymaster *certinfo)
{
int result_size = 0, err_code = 0, retval = 1;
char *desc_query = NULL, *priv_query = NULL, *pub_query = NULL;
if(sql_init(DB_NAME, DB_LOCAL) != SQLITE_OK)
{
goto error;
}
priv_query = sqlite3_mprintf("SELECT key FROM certificates WHERE fingerprint = %Q", certinfo->fingerprint);
certinfo->key = sql_exec(priv_query, &result_size, &err_code);
sqlite3_free(priv_query);
if(err_code != SQLITE_OK)
{
goto error;
}
pub_query = sqlite3_mprintf("SELECT certificate FROM certificates WHERE fingerprint = %Q", certinfo->fingerprint);
certinfo->certificate = sql_exec(pub_query, &result_size, &err_code);
sqlite3_free(pub_query);
if(err_code != SQLITE_OK)
{
goto error;
}
desc_query = sqlite3_mprintf("SELECT description FROM certificates WHERE fingerprint = %Q", certinfo->fingerprint);
certinfo->description = sql_exec(desc_query, &result_size, &err_code);
sqlite3_free(desc_query);
if(err_code != SQLITE_OK)
{
goto error;
}
goto end;
error:
sql_log_error();
retval = 0;
end:
sql_cleanup();
return retval;
}
/* Dumps search results that match the provided query term */
void print_search_results(char *term)
{
int count = 0;
char *query = NULL, *q = NULL, *table = NULL;
/* Format strings for the respective columns retrieved in sql_dump() */
char *col_fmt[NUM_COLS] = {"%-25s", "%-50s", "%-25s", "%-25s", "%-15s", "%-50s"};
if(sql_init(DB_NAME, DB_LOCAL) != SQLITE_OK)
{
sql_log_error();
goto end;
}
/* Queries should be in the format: <table.column>=<search term> */
table = strdup(term);
q = strstr(table, QUERY_DELIMITER);
if(!q)
{
fprintf(stderr, "ERROR: Improperly formatted query!\n");
goto end;
}
memset(q, 0, 1);
q++;
query = sqlite3_mprintf("SELECT firmware.vendor,firmware.description,hardware.vendor,model,revision,hardware.description FROM firmware JOIN hardware ON firmware.device_id=hardware.id WHERE %s LIKE '%%%q%%'", table, q);
/* Print out a table of all relevant database info related to this certificate */
printf("\n%s\n%s\n", COL_HEADERS, HEADER_DELIM);
count = sql_dump(query, col_fmt, NUM_COLS, stdout);
printf("\nFound %d matches for '%s'.\n\n", count, q);
end:
if(table) free(table);
sqlite3_free(query);
sql_cleanup();
return;
}
/* Prints out all information related to the selected certificate to stdout */
void print_all_cert_info(struct keymaster *certinfo)
{
int count = 0;
char *query = NULL;
/* Format strings for the respective columns retrieved in sql_dump() */
char *col_fmt[NUM_COLS] = {"%-25s", "%-50s", "%-25s", "%-25s", "%-15s", "%-50s"};
if(sql_init(DB_NAME, DB_LOCAL) != SQLITE_OK)
{
sql_log_error();
return;
}
query = sqlite3_mprintf("SELECT firmware.vendor,firmware.description,hardware.vendor,model,revision,hardware.description FROM firmware JOIN hardware ON firmware.device_id=hardware.id WHERE certificate_id = (SELECT id FROM certificates WHERE fingerprint = %Q)", certinfo->fingerprint);
/* Print out a table of all relevant database info related to this certificate */
printf("\n%s\n%s\n", COL_HEADERS, HEADER_DELIM);
count = sql_dump(query, col_fmt, NUM_COLS, stdout);
printf("\nFound %d firmware(s) using this certificate.\n\n", count);
sqlite3_free(query);
sql_cleanup();
return;
}
int main(int argc, char *argv[])
{
int c = 0;
FILE *fp = NULL;
int long_opt_index = 0, i = 0, channel = 0, passive = 0, mode = 0;
int source = INTERFACE, ret_val = EXIT_FAILURE;
struct bpf_program bpf = { 0 };
char *out_file = NULL, *last_optarg = NULL, *target = NULL, *bssid = NULL;
char *short_options = "i:c:n:o:b:5sfuCDh";
struct option long_options[] = {
{ "bssid", required_argument, NULL, 'b' },
{ "interface", required_argument, NULL, 'i' },
{ "channel", required_argument, NULL, 'c' },
{ "out-file", required_argument, NULL, 'o' },
{ "probes", required_argument, NULL, 'n' },
{ "daemonize", no_argument, NULL, 'D' },
{ "file", no_argument, NULL, 'f' },
{ "ignore-fcs", no_argument, NULL, 'C' },
{ "5ghz", no_argument, NULL, '5' },
{ "scan", no_argument, NULL, 's' },
{ "survey", no_argument, NULL, 'u' },
{ "help", no_argument, NULL, 'h' },
{ 0, 0, 0, 0 }
};
fprintf(stderr, "\nWash v%s WiFi Protected Setup Scan Tool\n", PACKAGE_VERSION);
fprintf(stderr, "Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <*****@*****.**>\n\n");
globule_init();
sql_init();
create_ap_table();
set_auto_channel_select(0);
set_wifi_band(BG_BAND);
set_debug(INFO);
set_validate_fcs(1);
set_log_file(stdout);
set_max_num_probes(DEFAULT_MAX_NUM_PROBES);
while((c = getopt_long(argc, argv, short_options, long_options, &long_opt_index)) != -1)
{
switch(c)
{
case 'f':
source = PCAP_FILE;
break;
case 'i':
set_iface(optarg);
break;
case 'b':
bssid = strdup(optarg);
break;
case 'c':
channel = atoi(optarg);
set_fixed_channel(1);
break;
case '5':
set_wifi_band(AN_BAND);
break;
case 'n':
set_max_num_probes(atoi(optarg));
break;
case 'o':
out_file = strdup(optarg);
break;
case 's':
mode = SCAN;
break;
case 'u':
mode = SURVEY;
break;
case 'C':
set_validate_fcs(0);
break;
case 'D':
daemonize();
break;
default:
usage(argv[0]);
goto end;
}
/* Track the last optarg. This is used later when looping back through any specified pcap files. */
if(optarg)
{
if(last_optarg)
{
free(last_optarg);
}
last_optarg = strdup(optarg);
}
}
/* The interface value won't be set if capture files were specified; else, there should have been an interface specified */
if(!get_iface() && source != PCAP_FILE)
{
usage(argv[0]);
goto end;
}
if(get_iface() && source == PCAP_FILE)
{
cprintf(CRITICAL, "[X] ERROR: -i and -f options cannot be used together.\n");
usage(argv[0]);
goto end;
}
/* If we're reading from a file, be sure we don't try to transmit probe requests */
if(source == PCAP_FILE)
{
passive = 1;
}
/* Open the output file, if any. If none, write to stdout. */
if(out_file)
{
fp = fopen(out_file, "wb");
if(!fp)
{
cprintf(CRITICAL, "[X] ERROR: Failed to open '%s' for writing\n", out_file);
goto end;
}
set_log_file(fp);
}
/*
* Loop through all of the specified capture sources. If an interface was specified, this will only loop once and the
* call to monitor() will block indefinitely. If capture files were specified, this will loop through each file specified
* on the command line and monitor() will return after each file has been processed.
*/
for(i=argc-1; i>0; i--)
{
/* If the source is a pcap file, get the file name from the command line */
if(source == PCAP_FILE)
{
/* If we've gotten to the arguments, we're done */
if((argv[i][0] == '-') ||
(last_optarg && (memcmp(argv[i], last_optarg, strlen(last_optarg)) == 0))
)
{
break;
}
else
{
target = argv[i];
}
}
/* Else, use the specified interface name */
else
{
target = get_iface();
}
set_handle(capture_init(target));
if(!get_handle())
{
cprintf(CRITICAL, "[X] ERROR: Failed to open '%s' for capturing\n", get_iface());
goto end;
}
if(pcap_compile(get_handle(), &bpf, PACKET_FILTER, 0, 0) != 0)
{
cprintf(CRITICAL, "[X] ERROR: Failed to compile packet filter\n");
goto end;
}
if(pcap_setfilter(get_handle(), &bpf) != 0)
{
cprintf(CRITICAL, "[X] ERROR: Failed to set packet filter\n");
goto end;
}
/* Do it. */
monitor(bssid, passive, source, channel, mode);
printf("\n");
}
ret_val = EXIT_SUCCESS;
end:
globule_deinit();
sql_cleanup();
if(bssid) free(bssid);
if(out_file) free(out_file);
if(wpsmon.fp) fclose(wpsmon.fp);
return ret_val;
}
