From: Russ Handorf Date: Tue, 5 Jun 2018 20:11:49 +0000 (-0400) Subject: initial commit X-Git-Url: http://russells-world.com/code/?a=commitdiff_plain;p=wisuck.git initial commit --- 4c150e2a201a30fca7e8c764cf568fd0231fd658 diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a8a5016 --- /dev/null +++ b/Makefile @@ -0,0 +1,13 @@ +DEPS = endian.h +LIBS=$(LDFLAGS) -L. -lpcap -lorcon2 -lm +OBJ = wisuck.o + +%.o: %.c $(DEPS) + $(CC) -c -o $@ $< + +wisuck: $(OBJ) + $(CC) -o $@ $^ $(CFLAGS) $(LIBS) + +clean: + rm -rf *.o + rm -rf wisuck diff --git a/README.md b/README.md new file mode 100644 index 0000000..fd6e48b --- /dev/null +++ b/README.md @@ -0,0 +1,16 @@ +Howdy do neighbors, + +This project is an effort to draw awareness to just show shitty WiFi still is, as if we didn't already realize it. It's 2018, and WiFi is still shit. What do you mean it's still shit? Glad you asked. Watching @kismetwireless hack on his code, and reading the comments on the various forums regarding weirdness with some things that people see, which can sometimes be replicated in the lab, it's come to my desire to provide some level of calibration of the performance of wireless devices from what I consider the gold standard: all things kismet. + +This code is hacked together from the foundation of LORCON. What it aims to provide you is a method for you to check to make sure your gear is working like you hope it is by "simulating" a variety of wireless packets from a transmitter. The problem is, wireless vendors suck, still, at writing firmware that works reliably and predictably in your wireless NIC's... still. The OS driver will sometimes quietly drop/ignore these packets as another defense, but the sheer fact that the kernel is getting them passed from the NIC is, in my opinion, stupid. RFMON mode helps drop a bunch of these protection mechanisms and will let you see just how bad "bad" is; like sometimes even reporting packets *that just dont exist...ever* As in, there is some sort of glitch in the firmware or hardware that fires garbage out for for all your tools to parse. + +So what you have here is a program that is going to detect the capabilities of your adapter, randomize a lot of different WiFi packet options, fire them out and write you a log file to then compare against your kismet server's results. It's the closest thing to calibration I could think of for you. The ghost in the machine is hard enough to detect, but hopefully this is a start for someone better than me to do something similar. + +To Do: +1. Add these in: + void lcpf_data(struct lcpa_metapack *pack, unsigned int fcflags, unsigned int duration, uint8_t *mac1, uint8_t *mac2, uint8_t *mac3, uint8_t *mac4, unsigned int fragment, unsigned int sequence) +2. Not rely on LORCON, but do this in SDR; because WiFi adapters suck +3. Remove some stupid functions and things I wrote when I was sick; they're not hurting anything now, but Russ... you suck +4. Add some stats automagically, instead of barfing to a file + +Happy hacking. diff --git a/wisuck.c b/wisuck.c new file mode 100644 index 0000000..698ecc3 --- /dev/null +++ b/wisuck.c @@ -0,0 +1,252 @@ +//Russ Handorf wrote most of this in a fit of rage. +//Mike, all the love in the world for putting up with me and my bad coding. +//Demo code pulled from LORCON man pages and examples (thanks Brad Antoniewicz!) +//Run this at your own peril. It's bad code. Honest. + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void help() { + printf("There's really only one option right now:\n"); + printf("\t-i \tInterface\n"); +} + +void random_ssid(char *ssid) { + int i, len; + srand(time(NULL) + getpid()); //replace me im shit: fopen /dev/urandom in rb mode then fread(in_mac, 6, 1, fileptr) + len=rand() % 31; + static const char alphanum[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "; + + for (i = 0; i < len; i++) { + ssid[i] = alphanum[rand() % (sizeof(alphanum) - 1)]; + } + ssid[len] = 0; +} + +void random_mac(uint8_t mac[6]){ + int i; + srand(time(NULL) + getpid()); //replace me im shit: fopen /dev/urandom in rb mode then fread(in_mac, 6, 1, fileptr) + + for (i = 0; i < 6; i++) { + mac[i] = rand() % 256; + } +} + +int main(int argc, char *argv[]) { + char *interface = NULL; + char ssid[32]; + int c; + lorcon_driver_t *drvlist, *driver; + lorcon_t *context; + lcpa_metapack_t *metapack; + lorcon_packet_t *txpack; + uint8_t src_mac[6], dst_mac[6]; + + struct timeval time2; + uint64_t timestamp; + int interval = 10; + int capabilities = 0x0421; + + int channel=1; + + long ms; // Milliseconds + time_t s; // Seconds + struct timespec spec; + + int randompacket=rand()%3; + char *packettype="UNK"; + + while ((c = getopt(argc, argv, "i:h")) != EOF) { + switch (c) { + case 'i': + interface = strdup(optarg); + break; + case 'h': + help(); + return(0); + break; + } + } + + if ( interface == NULL ) { + printf ("ERROR: Interface not set.\n"); + help(); + return(-1); + } + + if ( (driver = lorcon_auto_driver(interface)) == NULL) { + printf("[!] Could not determine the driver for %s\n",interface); + return -1; + } else { + printf("[+]\t Driver: %s\n",driver->name); + } + + + if ((context = lorcon_create(interface, driver)) == NULL) { + printf("[!]\t Failed to create context"); + return -1; + } + + if (lorcon_open_injmon(context) < 0) { + printf("[!]\t Could not create Monitor Mode interface!\n"); + return -1; + } else { + printf("[+]\t Monitor Mode VAP: %s\n",lorcon_get_vap(context)); + lorcon_free_driver_list(driver); + } + + int tmpchan=0; + int finalchannels[255]; + int channels24[15]={0,1,2,3,4,5,6,7,8,9,10,11,12,13,14}; + int channels52[10]={0,36,40,44,48,52,56,60,64}; + int channels58[17]={0,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165}; + uint8_t rates[] = "\x8c\x12\x98\x24\xb0\x48\x60\x6c"; + int chancount=0; + int tmpcode=0; + + + //technically, I dont need the loops below anymore, and can just go from 1 to the max since it all goes in the array anyways + //he said after recovering from mucinex dm + int chanmax=sizeof(channels24) / sizeof(int); + for (tmpchan=1; tmpchan 999) { + s++; + ms = 0; + } + gettimeofday(&time2, NULL); + timestamp = time2.tv_sec * 1000000 + time2.tv_usec; + + // Initialize the LORCON metapack + metapack = lcpa_init(); + + // Create a Beacon frame from 00:DE:AD:BE:EF:00 + random_mac(src_mac); + random_mac(dst_mac); + random_ssid(ssid); + + channel = finalchannels[rand() % (chancount)]; + lorcon_set_channel(context,channel); + + randompacket=rand()%3; + switch(randompacket) { + case 0: + packettype="BEACON"; + lcpf_beacon(metapack, src_mac, dst_mac, 0x00, 0x00, 0x00, 0x00, timestamp, interval, capabilities); + break; + case 1: + packettype="PROBE REQUEST"; + lcpf_probereq(metapack, src_mac, 0x00, 0x00, 0x00, 0x00); + break; + case 2: + packettype="PROBE RESPONSE"; + lcpf_proberesp(metapack, dst_mac, src_mac, src_mac, 0x00, 0x00, 0x00, 0x00, timestamp, interval, capabilities); + break; + } + + // Append IE Tag 0 for SSID + lcpf_add_ie(metapack, 0, strlen(ssid),ssid); + + // Most of the following IE tags are not needed, but added here as examples + + // Append IE Tag 1 for rates + lcpf_add_ie(metapack, 1, sizeof(rates)-1, rates); + + // Append IE Tag 3 for Channel + lcpf_add_ie(metapack, 3, 1, &channel); + + // Append IE Tags 42/47 for ERP Info + lcpf_add_ie(metapack, 42, 1, "\x05"); + lcpf_add_ie(metapack, 47, 1, "\x05"); + + // Convert the LORCON metapack to a LORCON packet for sending + txpack = (lorcon_packet_t *) lorcon_packet_from_lcpa(context, metapack); + + if ( lorcon_inject(context,txpack) < 0 ) + return -1; + + usleep(interval * 1000); + + printf("\033[K\r"); + fprintf(logs,"%"PRIdMAX".%03ld, %s, %02x:%02x:%02x:%02x:%02x:%02x, %02x:%02x:%02x:%02x:%02x:%02x, %d, %s\n", (intmax_t)s, ms, packettype, src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5], dst_mac[0], dst_mac[1], dst_mac[2], dst_mac[3], dst_mac[4], dst_mac[5], channel, ssid); + printf("[+] Src Mac: %02x:%02x:%02x:%02x:%02x:%02x Dst Mac: %02x:%02x:%02x:%02x:%02x:%02x C: %d Sent %d frames, Hit CTRL + C to stop...", src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5], dst_mac[0], dst_mac[1], dst_mac[2], dst_mac[3], dst_mac[4], dst_mac[5], channel, count); + fflush(stdout); + count++; + + // Free the metapack + lcpa_free(metapack); + + } + + fclose(logs); + lorcon_close(context); + lorcon_free(context); + return(0); +}