Imported Upstream version 1.4
Devon Kearns
11 years ago
0 | GNU GENERAL PUBLIC LICENSE | |
1 | Version 2, June 1991 | |
2 | ||
3 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. | |
4 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
5 | Everyone is permitted to copy and distribute verbatim copies | |
6 | of this license document, but changing it is not allowed. | |
7 | ||
8 | Preamble | |
9 | ||
10 | The licenses for most software are designed to take away your | |
11 | freedom to share and change it. By contrast, the GNU General Public | |
12 | License is intended to guarantee your freedom to share and change free | |
13 | software--to make sure the software is free for all its users. This | |
14 | General Public License applies to most of the Free Software | |
15 | Foundation's software and to any other program whose authors commit to | |
16 | using it. (Some other Free Software Foundation software is covered by | |
17 | the GNU Library General Public License instead.) You can apply it to | |
18 | your programs, too. | |
19 | ||
20 | When we speak of free software, we are referring to freedom, not | |
21 | price. Our General Public Licenses are designed to make sure that you | |
22 | have the freedom to distribute copies of free software (and charge for | |
23 | this service if you wish), that you receive source code or can get it | |
24 | if you want it, that you can change the software or use pieces of it | |
25 | in new free programs; and that you know you can do these things. | |
26 | ||
27 | To protect your rights, we need to make restrictions that forbid | |
28 | anyone to deny you these rights or to ask you to surrender the rights. | |
29 | These restrictions translate to certain responsibilities for you if you | |
30 | distribute copies of the software, or if you modify it. | |
31 | ||
32 | For example, if you distribute copies of such a program, whether | |
33 | gratis or for a fee, you must give the recipients all the rights that | |
34 | you have. You must make sure that they, too, receive or can get the | |
35 | source code. And you must show them these terms so they know their | |
36 | rights. | |
37 | ||
38 | We protect your rights with two steps: (1) copyright the software, and | |
39 | (2) offer you this license which gives you legal permission to copy, | |
40 | distribute and/or modify the software. | |
41 | ||
42 | Also, for each author's protection and ours, we want to make certain | |
43 | that everyone understands that there is no warranty for this free | |
44 | software. If the software is modified by someone else and passed on, we | |
45 | want its recipients to know that what they have is not the original, so | |
46 | that any problems introduced by others will not reflect on the original | |
47 | authors' reputations. | |
48 | ||
49 | Finally, any free program is threatened constantly by software | |
50 | patents. We wish to avoid the danger that redistributors of a free | |
51 | program will individually obtain patent licenses, in effect making the | |
52 | program proprietary. To prevent this, we have made it clear that any | |
53 | patent must be licensed for everyone's free use or not licensed at all. | |
54 | ||
55 | The precise terms and conditions for copying, distribution and | |
56 | modification follow. | |
57 | ||
58 | GNU GENERAL PUBLIC LICENSE | |
59 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION | |
60 | ||
61 | 0. This License applies to any program or other work which contains | |
62 | a notice placed by the copyright holder saying it may be distributed | |
63 | under the terms of this General Public License. The "Program", below, | |
64 | refers to any such program or work, and a "work based on the Program" | |
65 | means either the Program or any derivative work under copyright law: | |
66 | that is to say, a work containing the Program or a portion of it, | |
67 | either verbatim or with modifications and/or translated into another | |
68 | language. (Hereinafter, translation is included without limitation in | |
69 | the term "modification".) Each licensee is addressed as "you". | |
70 | ||
71 | Activities other than copying, distribution and modification are not | |
72 | covered by this License; they are outside its scope. The act of | |
73 | running the Program is not restricted, and the output from the Program | |
74 | is covered only if its contents constitute a work based on the | |
75 | Program (independent of having been made by running the Program). | |
76 | Whether that is true depends on what the Program does. | |
77 | ||
78 | 1. You may copy and distribute verbatim copies of the Program's | |
79 | source code as you receive it, in any medium, provided that you | |
80 | conspicuously and appropriately publish on each copy an appropriate | |
81 | copyright notice and disclaimer of warranty; keep intact all the | |
82 | notices that refer to this License and to the absence of any warranty; | |
83 | and give any other recipients of the Program a copy of this License | |
84 | along with the Program. | |
85 | ||
86 | You may charge a fee for the physical act of transferring a copy, and | |
87 | you may at your option offer warranty protection in exchange for a fee. | |
88 | ||
89 | 2. You may modify your copy or copies of the Program or any portion | |
90 | of it, thus forming a work based on the Program, and copy and | |
91 | distribute such modifications or work under the terms of Section 1 | |
92 | above, provided that you also meet all of these conditions: | |
93 | ||
94 | a) You must cause the modified files to carry prominent notices | |
95 | stating that you changed the files and the date of any change. | |
96 | ||
97 | b) You must cause any work that you distribute or publish, that in | |
98 | whole or in part contains or is derived from the Program or any | |
99 | part thereof, to be licensed as a whole at no charge to all third | |
100 | parties under the terms of this License. | |
101 | ||
102 | c) If the modified program normally reads commands interactively | |
103 | when run, you must cause it, when started running for such | |
104 | interactive use in the most ordinary way, to print or display an | |
105 | announcement including an appropriate copyright notice and a | |
106 | notice that there is no warranty (or else, saying that you provide | |
107 | a warranty) and that users may redistribute the program under | |
108 | these conditions, and telling the user how to view a copy of this | |
109 | License. (Exception: if the Program itself is interactive but | |
110 | does not normally print such an announcement, your work based on | |
111 | the Program is not required to print an announcement.) | |
112 | ||
113 | These requirements apply to the modified work as a whole. If | |
114 | identifiable sections of that work are not derived from the Program, | |
115 | and can be reasonably considered independent and separate works in | |
116 | themselves, then this License, and its terms, do not apply to those | |
117 | sections when you distribute them as separate works. But when you | |
118 | distribute the same sections as part of a whole which is a work based | |
119 | on the Program, the distribution of the whole must be on the terms of | |
120 | this License, whose permissions for other licensees extend to the | |
121 | entire whole, and thus to each and every part regardless of who wrote it. | |
122 | ||
123 | Thus, it is not the intent of this section to claim rights or contest | |
124 | your rights to work written entirely by you; rather, the intent is to | |
125 | exercise the right to control the distribution of derivative or | |
126 | collective works based on the Program. | |
127 | ||
128 | In addition, mere aggregation of another work not based on the Program | |
129 | with the Program (or with a work based on the Program) on a volume of | |
130 | a storage or distribution medium does not bring the other work under | |
131 | the scope of this License. | |
132 | ||
133 | 3. You may copy and distribute the Program (or a work based on it, | |
134 | under Section 2) in object code or executable form under the terms of | |
135 | Sections 1 and 2 above provided that you also do one of the following: | |
136 | ||
137 | a) Accompany it with the complete corresponding machine-readable | |
138 | source code, which must be distributed under the terms of Sections | |
139 | 1 and 2 above on a medium customarily used for software interchange; or, | |
140 | ||
141 | b) Accompany it with a written offer, valid for at least three | |
142 | years, to give any third party, for a charge no more than your | |
143 | cost of physically performing source distribution, a complete | |
144 | machine-readable copy of the corresponding source code, to be | |
145 | distributed under the terms of Sections 1 and 2 above on a medium | |
146 | customarily used for software interchange; or, | |
147 | ||
148 | c) Accompany it with the information you received as to the offer | |
149 | to distribute corresponding source code. (This alternative is | |
150 | allowed only for noncommercial distribution and only if you | |
151 | received the program in object code or executable form with such | |
152 | an offer, in accord with Subsection b above.) | |
153 | ||
154 | The source code for a work means the preferred form of the work for | |
155 | making modifications to it. For an executable work, complete source | |
156 | code means all the source code for all modules it contains, plus any | |
157 | associated interface definition files, plus the scripts used to | |
158 | control compilation and installation of the executable. However, as a | |
159 | special exception, the source code distributed need not include | |
160 | anything that is normally distributed (in either source or binary | |
161 | form) with the major components (compiler, kernel, and so on) of the | |
162 | operating system on which the executable runs, unless that component | |
163 | itself accompanies the executable. | |
164 | ||
165 | If distribution of executable or object code is made by offering | |
166 | access to copy from a designated place, then offering equivalent | |
167 | access to copy the source code from the same place counts as | |
168 | distribution of the source code, even though third parties are not | |
169 | compelled to copy the source along with the object code. | |
170 | ||
171 | 4. You may not copy, modify, sublicense, or distribute the Program | |
172 | except as expressly provided under this License. Any attempt | |
173 | otherwise to copy, modify, sublicense or distribute the Program is | |
174 | void, and will automatically terminate your rights under this License. | |
175 | However, parties who have received copies, or rights, from you under | |
176 | this License will not have their licenses terminated so long as such | |
177 | parties remain in full compliance. | |
178 | ||
179 | 5. You are not required to accept this License, since you have not | |
180 | signed it. However, nothing else grants you permission to modify or | |
181 | distribute the Program or its derivative works. These actions are | |
182 | prohibited by law if you do not accept this License. Therefore, by | |
183 | modifying or distributing the Program (or any work based on the | |
184 | Program), you indicate your acceptance of this License to do so, and | |
185 | all its terms and conditions for copying, distributing or modifying | |
186 | the Program or works based on it. | |
187 | ||
188 | 6. Each time you redistribute the Program (or any work based on the | |
189 | Program), the recipient automatically receives a license from the | |
190 | original licensor to copy, distribute or modify the Program subject to | |
191 | these terms and conditions. You may not impose any further | |
192 | restrictions on the recipients' exercise of the rights granted herein. | |
193 | You are not responsible for enforcing compliance by third parties to | |
194 | this License. | |
195 | ||
196 | 7. If, as a consequence of a court judgment or allegation of patent | |
197 | infringement or for any other reason (not limited to patent issues), | |
198 | conditions are imposed on you (whether by court order, agreement or | |
199 | otherwise) that contradict the conditions of this License, they do not | |
200 | excuse you from the conditions of this License. If you cannot | |
201 | distribute so as to satisfy simultaneously your obligations under this | |
202 | License and any other pertinent obligations, then as a consequence you | |
203 | may not distribute the Program at all. For example, if a patent | |
204 | license would not permit royalty-free redistribution of the Program by | |
205 | all those who receive copies directly or indirectly through you, then | |
206 | the only way you could satisfy both it and this License would be to | |
207 | refrain entirely from distribution of the Program. | |
208 | ||
209 | If any portion of this section is held invalid or unenforceable under | |
210 | any particular circumstance, the balance of the section is intended to | |
211 | apply and the section as a whole is intended to apply in other | |
212 | circumstances. | |
213 | ||
214 | It is not the purpose of this section to induce you to infringe any | |
215 | patents or other property right claims or to contest validity of any | |
216 | such claims; this section has the sole purpose of protecting the | |
217 | integrity of the free software distribution system, which is | |
218 | implemented by public license practices. Many people have made | |
219 | generous contributions to the wide range of software distributed | |
220 | through that system in reliance on consistent application of that | |
221 | system; it is up to the author/donor to decide if he or she is willing | |
222 | to distribute software through any other system and a licensee cannot | |
223 | impose that choice. | |
224 | ||
225 | This section is intended to make thoroughly clear what is believed to | |
226 | be a consequence of the rest of this License. | |
227 | ||
228 | 8. If the distribution and/or use of the Program is restricted in | |
229 | certain countries either by patents or by copyrighted interfaces, the | |
230 | original copyright holder who places the Program under this License | |
231 | may add an explicit geographical distribution limitation excluding | |
232 | those countries, so that distribution is permitted only in or among | |
233 | countries not thus excluded. In such case, this License incorporates | |
234 | the limitation as if written in the body of this License. | |
235 | ||
236 | 9. The Free Software Foundation may publish revised and/or new versions | |
237 | of the General Public License from time to time. Such new versions will | |
238 | be similar in spirit to the present version, but may differ in detail to | |
239 | address new problems or concerns. | |
240 | ||
241 | Each version is given a distinguishing version number. If the Program | |
242 | specifies a version number of this License which applies to it and "any | |
243 | later version", you have the option of following the terms and conditions | |
244 | either of that version or of any later version published by the Free | |
245 | Software Foundation. If the Program does not specify a version number of | |
246 | this License, you may choose any version ever published by the Free Software | |
247 | Foundation. | |
248 | ||
249 | 10. If you wish to incorporate parts of the Program into other free | |
250 | programs whose distribution conditions are different, write to the author | |
251 | to ask for permission. For software which is copyrighted by the Free | |
252 | Software Foundation, write to the Free Software Foundation; we sometimes | |
253 | make exceptions for this. Our decision will be guided by the two goals | |
254 | of preserving the free status of all derivatives of our free software and | |
255 | of promoting the sharing and reuse of software generally. | |
256 | ||
257 | NO WARRANTY | |
258 | ||
259 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY | |
260 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN | |
261 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES | |
262 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED | |
263 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF | |
264 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS | |
265 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE | |
266 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, | |
267 | REPAIR OR CORRECTION. | |
268 | ||
269 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING | |
270 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR | |
271 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, | |
272 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING | |
273 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED | |
274 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY | |
275 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER | |
276 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE | |
277 | POSSIBILITY OF SUCH DAMAGES. | |
278 | ||
279 | END OF TERMS AND CONDITIONS | |
280 | ||
281 | How to Apply These Terms to Your New Programs | |
282 | ||
283 | If you develop a new program, and you want it to be of the greatest | |
284 | possible use to the public, the best way to achieve this is to make it | |
285 | free software which everyone can redistribute and change under these terms. | |
286 | ||
287 | To do so, attach the following notices to the program. It is safest | |
288 | to attach them to the start of each source file to most effectively | |
289 | convey the exclusion of warranty; and each file should have at least | |
290 | the "copyright" line and a pointer to where the full notice is found. | |
291 | ||
292 | <one line to give the program's name and a brief idea of what it does.> | |
293 | Copyright (C) 19yy <name of author> | |
294 | ||
295 | This program is free software; you can redistribute it and/or modify | |
296 | it under the terms of the GNU General Public License as published by | |
297 | the Free Software Foundation; either version 2 of the License, or | |
298 | (at your option) any later version. | |
299 | ||
300 | This program is distributed in the hope that it will be useful, | |
301 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
302 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
303 | GNU General Public License for more details. | |
304 | ||
305 | You should have received a copy of the GNU General Public License | |
306 | along with this program; if not, write to the Free Software | |
307 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
308 | ||
309 | ||
310 | Also add information on how to contact you by electronic and paper mail. | |
311 | ||
312 | If the program is interactive, make it output a short notice like this | |
313 | when it starts in an interactive mode: | |
314 | ||
315 | Gnomovision version 69, Copyright (C) 19yy name of author | |
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. | |
317 | This is free software, and you are welcome to redistribute it | |
318 | under certain conditions; type `show c' for details. | |
319 | ||
320 | The hypothetical commands `show w' and `show c' should show the appropriate | |
321 | parts of the General Public License. Of course, the commands you use may | |
322 | be called something other than `show w' and `show c'; they could even be | |
323 | mouse-clicks or menu items--whatever suits your program. | |
324 | ||
325 | You should also get your employer (if you work as a programmer) or your | |
326 | school, if any, to sign a "copyright disclaimer" for the program, if | |
327 | necessary. Here is a sample; alter the names: | |
328 | ||
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program | |
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. | |
331 | ||
332 | <signature of Ty Coon>, 1 April 1989 | |
333 | Ty Coon, President of Vice | |
334 | ||
335 | This General Public License does not permit incorporating your program into | |
336 | proprietary programs. If your program is a subroutine library, you may | |
337 | consider it more useful to permit linking proprietary applications with the | |
338 | library. If this is what you want to do, use the GNU Library General | |
339 | Public License instead of this License. |
Binary diff not shown
0 | CFLAGS = -pipe -Wall -O2 -ggdb -g3 | |
1 | LDLIBS = -lpcap -lcrypto | |
2 | PROG = eapmd5pass | |
3 | PROGOBJ = utils.o | |
4 | ||
5 | all: $(PROGOBJ) $(PROG) | |
6 | ||
7 | utils.o: utils.c utils.h | |
8 | $(CC) $(CFLAGS) -c utils.c | |
9 | ||
10 | eapmd5pass: eapmd5pass.c eapmd5pass.h utils.c utils.h | |
11 | $(CC) $(CFLAGS) -o eapmd5pass $(PROGOBJ) eapmd5pass.c $(LDLIBS) | |
12 | ||
13 | clean: | |
14 | $(RM) $(PROG) $(PROGOBJ) *~ | |
15 | ||
16 | strip: | |
17 | @strip $(PROG) |
0 | eapmd5pass - offline EAP-MD5 dictionary attack. | |
1 | ||
2 | Copyright(c) 2007-2008, Joshua Wright <[email protected]> | |
3 | ||
4 | $Id: README,v 1.2 2008/02/10 02:24:34 jwright Exp $ | |
5 | ||
6 | -------------------------------------------------------------------------------- | |
7 | ||
8 | EAP-MD5 is a legacy authentication mechanism that does not provide sufficient | |
9 | protection for user authentication credentials. Users who authenticate using | |
10 | EAP-MD5 subject themselves to an offline dictionary attack vulnerability. | |
11 | ||
12 | This tool reads from a live network interface in monitor-mode, or from a | |
13 | stored libpcap capture file, and extracts the portions of the EAP-MD5 | |
14 | authentication exchange. Once the challenge and response portions have been | |
15 | collected from this exchange, eapmd5pass will mount an offline dictionary | |
16 | attack against the user's password. | |
17 | ||
18 | ||
19 | SAMPLE CAPTURES | |
20 | ||
21 | The following sample EAP-MD5 packet captures have the corresponding | |
22 | passwords: | |
23 | ||
24 | File Password | |
25 | ---- -------- | |
26 | eapmd5-sample.dump beaVIs | |
27 | EAPMD5-Challenge-01.cap bradtest | |
28 | brad.eaptest.cap bradtest | |
29 | bra.eaptest2.cap bradtest | |
30 | ||
31 | ||
32 | USE NOTES | |
33 | ||
34 | Normal operation of this tool will be to specify a dictionary file of words | |
35 | to use as potential passwords, one per line, along with a packet capture file | |
36 | from wireless network of an EAP-MD5 exchange, as shown below: | |
37 | ||
38 | ||
39 | $ ./eapmd5pass -w dict -r eapmd5-sample.dump | |
40 | eapmd5pass - Dictionary attack against EAP-MD5 | |
41 | Collected all data necessary to attack password for "jwright", starting attack. | |
42 | User password is "beaVIs". | |
43 | 3917111 passwords in 6.55 seconds: 598165.01 passwords/second. | |
44 | ||
45 | ||
46 | However, there may be cases where mounting an EAP-MD5 attack is necessary | |
47 | even when a packet capture is not available. If you have observed an EAP-MD5 | |
48 | exchange but do not have the data in a wireless packet capture that is | |
49 | understood by this tool, you can manually specify the following parameters | |
50 | as command-line arguments: | |
51 | ||
52 | + username | |
53 | + EAP challenge (16 bytes) | |
54 | + EAP response (16 bytes) | |
55 | + EAP Id of the EAP response frame (usually "2") | |
56 | + Dictionary file | |
57 | ||
58 | An example of using eapmd5pass in this manner is shown below: | |
59 | ||
60 | ||
61 | $ ./eapmd5pass -w dict -U jwright -C d7:ec:2f:ff:2a:da:43:7f:9d:cd:4e:3b:0d:f4:4d:50 -R 1f:fc:6c:26:59:bc:5b:b9:41:44:fd:01:eb:75:6e:37 -E 2 | |
62 | eapmd5pass - Dictionary attack against EAP-MD5 | |
63 | User password is "beaVIs". | |
64 | 3917111 passwords in 7.05 seconds: 555990.03 passwords/second. | |
65 | ||
66 | ||
67 | Note that this tool isn't particularly useful; with no native supplicant | |
68 | support for EAP-MD5 in Microsoft Windows, and the lack of support for | |
69 | encryption in an EAP-MD5 network, it is rare to see EAP-MD5 in use. However, | |
70 | the Windows IAS server has support for EAP-MD5 enabled by default, so it is | |
71 | conceivable that a user could setup their own workstation to use this | |
72 | protocol, unaware of the risks associated with this EAP type. It should be | |
73 | noted that the Funk Odyssey and Mac OS X supplicants both support EAP-MD5 | |
74 | authentication. | |
75 | ||
76 | Why did I write this? I'm not sure. It's possible that I wrote this during a | |
77 | chrono-synclastic infundibulum experience, where it may have meant more to me | |
78 | at the time. | |
79 | ||
80 | ||
81 | THANKS | |
82 | ||
83 | Special thanks to Brad Antoniewicz for his patches and additional test | |
84 | capture files. | |
85 | ||
86 | COMMENTS/QUESTIONS/CONCERNS? | |
87 | ||
88 | Please contact me at [email protected]. Thanks! |
Binary diff not shown
Binary diff not shown
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | #ifndef BYTESWAP_H | |
14 | #define BYTESWAP_H | |
15 | ||
16 | #define __swab16(x) \ | |
17 | ({ \ | |
18 | uint16_t __x = (x); \ | |
19 | ((uint16_t)( \ | |
20 | (((uint16_t)(__x) & (uint16_t)0x00ffU) << 8) | \ | |
21 | (((uint16_t)(__x) & (uint16_t)0xff00U) >> 8) )); \ | |
22 | }) | |
23 | ||
24 | #define __swab32(x) \ | |
25 | ({ \ | |
26 | uint32_t __x = (x); \ | |
27 | ((uint32_t)( \ | |
28 | (((uint32_t)(__x) & (uint32_t)0x000000ffUL) << 24) | \ | |
29 | (((uint32_t)(__x) & (uint32_t)0x0000ff00UL) << 8) | \ | |
30 | (((uint32_t)(__x) & (uint32_t)0x00ff0000UL) >> 8) | \ | |
31 | (((uint32_t)(__x) & (uint32_t)0xff000000UL) >> 24) )); \ | |
32 | }) | |
33 | ||
34 | #define __swab64(x) \ | |
35 | ({ \ | |
36 | uint64_t __x = (x); \ | |
37 | ((uint64_t)( \ | |
38 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0x00000000000000ffULL) << 56) | \ | |
39 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0x000000000000ff00ULL) << 40) | \ | |
40 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0x0000000000ff0000ULL) << 24) | \ | |
41 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0x00000000ff000000ULL) << 8) | \ | |
42 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0x000000ff00000000ULL) >> 8) | \ | |
43 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0x0000ff0000000000ULL) >> 24) | \ | |
44 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0x00ff000000000000ULL) >> 40) | \ | |
45 | (uint64_t)(((uint64_t)(__x) & (uint64_t)0xff00000000000000ULL) >> 56) )); \ | |
46 | }) | |
47 | ||
48 | #ifdef WORDS_BIGENDIAN | |
49 | #warning "Compiling for big-endian" | |
50 | #define le16_to_cpu(x) __swab16(x) | |
51 | #define le32_to_cpu(x) __swab32(x) | |
52 | #define le64_to_cpu(x) __swab64(x) | |
53 | #else | |
54 | #define le16_to_cpu(x) (x) | |
55 | #define le32_to_cpu(x) (x) | |
56 | #define le64_to_cpu(x) (x) | |
57 | #endif | |
58 | ||
59 | #endif /* BYTESWAP_H */ |
Binary diff not shown
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | #include <stdio.h> | |
14 | #include <stdlib.h> | |
15 | #include <string.h> | |
16 | #include <unistd.h> | |
17 | #include <netinet/in.h> | |
18 | #include <signal.h> | |
19 | ||
20 | #include <openssl/md5.h> | |
21 | #include <pcap.h> | |
22 | ||
23 | #include "radiotap.h" | |
24 | #include "utils.h" | |
25 | #include "byteswap.h" | |
26 | #include "eapmd5pass.h" | |
27 | #include "ieee80211.h" | |
28 | #include "ieee8021x.h" | |
29 | #include "ietfproto.h" | |
30 | ||
31 | /* pcap descriptor */ | |
32 | pcap_t *p = NULL; | |
33 | struct pcap_pkthdr *h; | |
34 | uint8_t *dot11packetbuf; | |
35 | int __verbosity=0; | |
36 | int offset=0; /* Offset of pcap data to beginning of frame */ | |
37 | long pcount=0; /* Total number of packets observed */ | |
38 | struct eapmd5pass_data em; | |
39 | ||
40 | void cleanexit() | |
41 | { | |
42 | if (p != NULL) { | |
43 | pcap_close(p); | |
44 | } | |
45 | ||
46 | if (em.recovered_pass > 0) { | |
47 | exit(0); | |
48 | } else { | |
49 | exit(1); | |
50 | } | |
51 | } | |
52 | ||
53 | void usage() | |
54 | { | |
55 | printf("\nUsage: eapmd5pass [ -i <int> | -r <pcapfile> ] [ -w wordfile ] [options]\n"); | |
56 | printf("\n"); | |
57 | printf(" -i <iface>\tinterface name\n"); | |
58 | printf(" -r <pcapfile>\tread from a named libpcap file\n"); | |
59 | printf(" -w <wordfile>\tuse wordfile for possible passwords.\n"); | |
60 | printf(" -b <bssid>\tBSSID of target network (default: all)\n"); | |
61 | printf(" -U <username>\tUsername of EAP-MD5 user.\n"); | |
62 | printf(" -C <chal>\tEAP-MD5 challenge value.\n"); | |
63 | printf(" -R <response>\tEAP-MD5 response value.\n"); | |
64 | printf(" -E <eapid>\tEAP-MD5 response EAP ID value.\n"); | |
65 | printf(" -v\t\tincrease verbosity level (max 3)\n"); | |
66 | printf(" -V\t\tversion information\n"); | |
67 | printf(" -h\t\tusage information\n"); | |
68 | ||
69 | printf("\nThe \"-r\" and \"[-U|-C|-R|-E]\" options are not meant to be " | |
70 | "used together. Use -r\nwhen a packet capture is " | |
71 | "available. Specify the username, challenge and\n" | |
72 | "response when available through other means.\n"); | |
73 | } | |
74 | ||
75 | /* Determine radiotap data length (including header) and return offset for the | |
76 | beginning of the 802.11 header */ | |
77 | int radiotap_offset(pcap_t *p, struct pcap_pkthdr *h) | |
78 | { | |
79 | ||
80 | struct ieee80211_radiotap_header *rtaphdr; | |
81 | int rtaphdrlen=0; | |
82 | ||
83 | /* Grab a packet to examine radiotap header */ | |
84 | if (pcap_next_ex(p, &h, (const u_char **)&dot11packetbuf) > -1) { | |
85 | ||
86 | rtaphdr = (struct ieee80211_radiotap_header *)dot11packetbuf; | |
87 | rtaphdrlen = le16_to_cpu(rtaphdr->it_len); /* rtap is LE */ | |
88 | ||
89 | /* Sanity check on header length */ | |
90 | if (rtaphdrlen > (h->len - DOT11HDR_MINLEN)) { | |
91 | return -2; /* Bad radiotap data */ | |
92 | } | |
93 | ||
94 | return rtaphdrlen; | |
95 | } | |
96 | ||
97 | return -1; | |
98 | } | |
99 | ||
100 | void assess_packet(char *user, struct pcap_pkthdr *h, u_int8_t *pkt) | |
101 | { | |
102 | ||
103 | struct dot11hdr *dot11; | |
104 | struct ieee8021x *dot1xhdr; | |
105 | struct ieee8022 *dot2hdr; | |
106 | struct eap_hdr *eaphdr; | |
107 | uint8_t *srcaddrptr, *dstaddrptr, *bssidaddrptr; | |
108 | uint8_t *dot11buf; | |
109 | int plen, poffset; | |
110 | struct eapmd5pass_data *em; | |
111 | extern long pcount; | |
112 | ||
113 | em = (struct eapmd5pass_data *)user; | |
114 | ||
115 | dot11buf = (pkt + offset); | |
116 | ||
117 | pcount++; /* Global packet counter */ | |
118 | if (__verbosity > 2) { | |
119 | printf("Checking Frame: %ld....\n",pcount); | |
120 | } | |
121 | ||
122 | poffset = offset; | |
123 | plen = h->len - offset; | |
124 | if (plen > DOT11HDR_A3_LEN) { | |
125 | dot11 = (struct dot11hdr *)(pkt+offset); | |
126 | } else { | |
127 | if (__verbosity > 1) { | |
128 | printf("\tDiscarding too-small frame (%d).\n", plen); | |
129 | } | |
130 | return; | |
131 | } | |
132 | ||
133 | if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 1) { | |
134 | /* Ignore WDS frames */ | |
135 | if (__verbosity > 2) { | |
136 | printf("\tDiscarding WDS frame.\n"); | |
137 | } | |
138 | return; | |
139 | } else if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 0) { | |
140 | /* From the DS */ | |
141 | srcaddrptr = dot11->addr3; | |
142 | dstaddrptr = dot11->addr1; | |
143 | bssidaddrptr = dot11->addr2; | |
144 | } else if (dot11->u1.fc.from_ds == 0 && dot11->u1.fc.to_ds == 1) { | |
145 | /* To the DS, interesting to us */ | |
146 | srcaddrptr = dot11->addr2; | |
147 | dstaddrptr = dot11->addr3; | |
148 | bssidaddrptr = dot11->addr1; | |
149 | } else { /* fromds = 0, tods = 0 */ | |
150 | /* Ad-hoc, can this be used with PEAP? */ | |
151 | srcaddrptr = dot11->addr2; | |
152 | dstaddrptr = dot11->addr1; | |
153 | bssidaddrptr = dot11->addr3; | |
154 | } | |
155 | ||
156 | if (dot11->u1.fc.type != DOT11_FC_TYPE_DATA) { | |
157 | if (__verbosity > 2) { | |
158 | printf("\tDiscarding frame, not type data.\n"); | |
159 | } | |
160 | return; | |
161 | } | |
162 | ||
163 | /* Discard traffic for other BSSID's if one was specified; otherwise, | |
164 | all networks are fair game. */ | |
165 | if (em->bssidset) { | |
166 | if (memcmp(em->bssid, bssidaddrptr, IEEE802_MACLEN) != 0) { | |
167 | return; | |
168 | } | |
169 | } | |
170 | ||
171 | poffset += DOT11HDR_A3_LEN; | |
172 | plen -= DOT11HDR_A3_LEN; | |
173 | ||
174 | if (dot11->u1.fc.subtype == DOT11_FC_SUBTYPE_QOSDATA) { | |
175 | /* Move another 2 bytes past QoS header */ | |
176 | poffset += DOT11HDR_QOS_LEN; | |
177 | plen -= DOT11HDR_QOS_LEN; | |
178 | } else if (dot11->u1.fc.subtype != DOT11_FC_SUBTYPE_DATA) { | |
179 | if (__verbosity > 2) { | |
180 | printf("\tDiscarding frame, not-applicable subtype: " | |
181 | "%02x.\n", dot11->u1.fc.subtype); | |
182 | } | |
183 | return; | |
184 | } | |
185 | ||
186 | if (plen <= 0) { | |
187 | if (__verbosity > 2) { | |
188 | printf("\tDiscarding frame with no payload.\n"); | |
189 | } | |
190 | return; | |
191 | } | |
192 | ||
193 | ||
194 | /* IEEE 802.2 header */ | |
195 | dot2hdr = (struct ieee8022 *)(pkt+poffset); | |
196 | poffset += DOT2HDR_LEN; | |
197 | plen -= DOT2HDR_LEN; | |
198 | ||
199 | if (plen <= 0) { | |
200 | if (__verbosity > 2) { | |
201 | printf("\tDiscarding frame with partial 802.2 header.\n"); | |
202 | } | |
203 | return; | |
204 | } | |
205 | ||
206 | /* Check 802.2 header for embedded IEEE 802.1x authentication */ | |
207 | if (dot2hdr->dsap != IEEE8022_SNAP || dot2hdr->ssap != IEEE8022_SNAP) { | |
208 | if (__verbosity > 2) { | |
209 | printf("\tDiscarding frame, invalid 802.2 header.\n"); | |
210 | } | |
211 | return; | |
212 | } | |
213 | if (ntohs(dot2hdr->type) != IEEE8022_TYPE_DOT1X) { | |
214 | if (__verbosity > 2) { | |
215 | printf("\tDicarding frame, embedded protocol is not " | |
216 | "IEEE 802.1x (%04x).\n", dot2hdr->type); | |
217 | } | |
218 | return; | |
219 | } | |
220 | ||
221 | ||
222 | /* IEEE 802.1x header */ | |
223 | dot1xhdr = (struct ieee8021x *)(pkt + poffset); | |
224 | plen -= DOT1XHDR_LEN; | |
225 | poffset += DOT1XHDR_LEN; | |
226 | ||
227 | if (plen <= 0) { | |
228 | if (__verbosity > 2) { | |
229 | printf("\tDiscarding frame, too short for 802.1x (%d).\n", | |
230 | h->len - offset); | |
231 | } | |
232 | return; | |
233 | } | |
234 | ||
235 | if (dot1xhdr->version != DOT1X_VERSION1 && | |
236 | dot1xhdr->version != DOT1X_VERSION2) { | |
237 | if (__verbosity > 2) { | |
238 | printf("\tDiscarding frame, not an 802.1x packet.\n"); | |
239 | } | |
240 | return; | |
241 | } | |
242 | ||
243 | if (dot1xhdr->type != DOT1X_TYPE_EAP) { | |
244 | if (__verbosity > 2) { | |
245 | printf("\tDiscarding frame, not an EAP packet.\n"); | |
246 | } | |
247 | return; | |
248 | } | |
249 | ||
250 | /* EAP header contents */ | |
251 | eaphdr = (struct eap_hdr *)(pkt + poffset); | |
252 | ||
253 | if ((plen - EAPHDR_MIN_LEN) < 0) { | |
254 | if (__verbosity > 2) { | |
255 | printf("\tDiscarding frame, too short for EAP (%d).\n", | |
256 | h->len - offset); | |
257 | } | |
258 | return; | |
259 | } | |
260 | ||
261 | if (eaphdr->type != EAP_TYPE_ID && eaphdr->type != EAP_TYPE_MD5 && | |
262 | eaphdr->type != EAP_TYPE_EAP) { | |
263 | if (__verbosity > 2) { | |
264 | printf("\tDiscarding frame, not EAP Identification or " | |
265 | "EAP-MD5.\n"); | |
266 | } | |
267 | return; | |
268 | } | |
269 | ||
270 | /* Try to extract username */ | |
271 | if (dot11->u1.fc.from_ds == 0 && dot11->u1.fc.to_ds == 1 && | |
272 | eaphdr->type == EAP_TYPE_ID) { | |
273 | if (extract_eapusername((pkt+poffset), plen, em) == 0) { | |
274 | if (__verbosity > 2) { | |
275 | printf("\tFound Username!\n"); | |
276 | } | |
277 | em->namefound=1; | |
278 | return; | |
279 | } | |
280 | } | |
281 | ||
282 | /* Try to extract the challenge */ | |
283 | if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 0 && | |
284 | eaphdr->type == EAP_TYPE_MD5 && | |
285 | em->namefound == 1 && | |
286 | em->chalfound == 0) { | |
287 | if (extract_eapchallenge((pkt+poffset), plen, em) == 0) { | |
288 | if (__verbosity > 2) { | |
289 | printf("\tFound Challenge!\n"); | |
290 | } | |
291 | ||
292 | em->chalfound = 1; | |
293 | return; | |
294 | } | |
295 | } | |
296 | ||
297 | /* Try to extract the response */ | |
298 | if (dot11->u1.fc.from_ds == 0 && dot11->u1.fc.to_ds == 1 && | |
299 | eaphdr->type == EAP_TYPE_MD5 && | |
300 | em->namefound == 1 && | |
301 | em->chalfound == 1 && | |
302 | em->respfound == 0) { | |
303 | if (extract_eapresponse((pkt+poffset), plen, em) == 0) { | |
304 | if (__verbosity > 2) { | |
305 | printf("\tFound Response!\n"); | |
306 | } | |
307 | ||
308 | em->respfound = 1; | |
309 | return; | |
310 | } | |
311 | } | |
312 | ||
313 | /* Try to extract the success message */ | |
314 | if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 0 && | |
315 | em->namefound == 1 && | |
316 | em->chalfound == 1 && | |
317 | em->respfound == 1) { | |
318 | if (__verbosity > 2) { | |
319 | printf("\tFound Possible EAP Success!\n"); | |
320 | } | |
321 | ||
322 | if (extract_eapsuccess((pkt+poffset), plen, em) == 0) { | |
323 | em->succfound = 1; | |
324 | printf("Collected all data necessary to attack " | |
325 | "password for \"%s\", starting attack." | |
326 | "\n", em->username); | |
327 | eapmd5_attack(em); | |
328 | eapmd5_nexttarget(em); | |
329 | return; | |
330 | } else { | |
331 | if (__verbosity >2) { | |
332 | printf("\tCould not confirm EAP Success\n"); | |
333 | } | |
334 | } | |
335 | } | |
336 | ||
337 | return; | |
338 | } | |
339 | ||
340 | void eapmd5_attack(struct eapmd5pass_data *em) | |
341 | { | |
342 | ||
343 | FILE *fp; | |
344 | int passlen; | |
345 | unsigned long wordcount=0; | |
346 | uint8_t digest[16]; | |
347 | char buf[256]; | |
348 | struct timeval start, finish; | |
349 | int success=0; | |
350 | float elapsed=0; | |
351 | ||
352 | buf[0] = em->respeapid; | |
353 | ||
354 | if (*em->wordfile == '-') { | |
355 | fp = stdin; | |
356 | } else { | |
357 | fp = fopen(em->wordfile, "r"); | |
358 | } | |
359 | ||
360 | if (fp == NULL) { | |
361 | perror("fopen"); | |
362 | pcap_close(p); | |
363 | exit(-1); | |
364 | } | |
365 | ||
366 | gettimeofday(&start, 0); | |
367 | ||
368 | while(feof(fp) == 0) { | |
369 | if (fgets((buf+1), sizeof(buf)-1, fp) == NULL) { | |
370 | fclose(fp); | |
371 | break; | |
372 | } | |
373 | ||
374 | wordcount++; | |
375 | passlen = strlen(buf)-1; | |
376 | memcpy((buf+passlen), em->challenge, 16); | |
377 | ||
378 | MD5((uint8_t *)buf, passlen+16, digest); | |
379 | ||
380 | if (memcmp(digest, em->response, 16) == 0) { | |
381 | success=1; | |
382 | fclose(fp); | |
383 | break; | |
384 | } | |
385 | ||
386 | } | |
387 | ||
388 | gettimeofday(&finish, 0); | |
389 | ||
390 | if (success == 1) { | |
391 | em->recovered_pass++; | |
392 | buf[passlen] = 0; | |
393 | printf("User password is \"%s\".\n", buf+1); | |
394 | } else { | |
395 | printf("Unable to idenitfy user password, not in the dictionary" | |
396 | " file.\n"); | |
397 | } | |
398 | ||
399 | if (finish.tv_usec < start.tv_usec) { | |
400 | finish.tv_sec -= 1; | |
401 | finish.tv_usec += 1000000; | |
402 | } | |
403 | finish.tv_sec -= start.tv_sec; | |
404 | finish.tv_usec -= start.tv_usec; | |
405 | elapsed = finish.tv_sec + finish.tv_usec / 1000000.0; | |
406 | ||
407 | printf("%lu passwords in %.2f seconds: %.2f passwords/second.\n", | |
408 | wordcount, elapsed, wordcount/elapsed); | |
409 | return; | |
410 | } | |
411 | ||
412 | void eapmd5_nexttarget(struct eapmd5pass_data *em) | |
413 | { | |
414 | /* Reset tracking values for the next attack */ | |
415 | em->namefound = 0; | |
416 | em->chalfound = 0; | |
417 | em->respfound = 0; | |
418 | em->succfound = 0; | |
419 | return; | |
420 | } | |
421 | ||
422 | int extract_eapusername(uint8_t *eap, int len, struct eapmd5pass_data *em) | |
423 | { | |
424 | struct eap_hdr *eaphdr; | |
425 | int usernamelen; | |
426 | int eaplen; | |
427 | ||
428 | eaphdr = (struct eap_hdr *)eap; | |
429 | ||
430 | if (eaphdr->code != EAP_RESPONSE) { | |
431 | return 1; | |
432 | } | |
433 | ||
434 | if (eaphdr->type != EAP_TYPE_ID) { | |
435 | return 1; | |
436 | } | |
437 | ||
438 | eaplen = ntohs(eaphdr->length); | |
439 | if (eaplen > len) { | |
440 | return 1; | |
441 | } | |
442 | ||
443 | /* 5 bytes for EAP header information without identity information */ | |
444 | usernamelen = (eaplen - 5); | |
445 | ||
446 | usernamelen = (eaplen > sizeof(em->username)) | |
447 | ? sizeof(em->username) : usernamelen; | |
448 | memcpy(em->username, (eap+5), usernamelen); | |
449 | em->username[usernamelen] = 0; | |
450 | ||
451 | return 0; | |
452 | } | |
453 | ||
454 | int extract_eapchallenge(uint8_t *eap, int len, struct eapmd5pass_data *em) | |
455 | { | |
456 | struct eap_hdr *eaphdr; | |
457 | int eaplen; | |
458 | int offset; | |
459 | ||
460 | eaphdr = (struct eap_hdr *)eap; | |
461 | ||
462 | if (eaphdr->code != EAP_REQUEST) { | |
463 | return 1; | |
464 | } | |
465 | ||
466 | if (eaphdr->type != EAP_TYPE_MD5) { | |
467 | return 1; | |
468 | } | |
469 | ||
470 | eaplen = ntohs(eaphdr->length); | |
471 | if (eaplen > len) { | |
472 | return 1; | |
473 | } | |
474 | ||
475 | /* 5th byte offset is the value-size parameter */ | |
476 | if ((eap[5]) != 16) { | |
477 | return 1; | |
478 | } | |
479 | ||
480 | len -= 6; | |
481 | offset = 6; | |
482 | ||
483 | if (len <= 0) { | |
484 | return 1; | |
485 | } | |
486 | ||
487 | memcpy(em->challenge, (eap+offset), 16); | |
488 | return 0; | |
489 | } | |
490 | ||
491 | ||
492 | int extract_eapresponse(uint8_t *eap, int len, struct eapmd5pass_data *em) | |
493 | { | |
494 | struct eap_hdr *eaphdr; | |
495 | int eaplen; | |
496 | int offset; | |
497 | ||
498 | eaphdr = (struct eap_hdr *)eap; | |
499 | ||
500 | if (eaphdr->code != EAP_RESPONSE) { | |
501 | return 1; | |
502 | } | |
503 | ||
504 | if (eaphdr->type != EAP_TYPE_MD5) { | |
505 | return 1; | |
506 | } | |
507 | ||
508 | eaplen = ntohs(eaphdr->length); | |
509 | if (eaplen > len) { | |
510 | return 1; | |
511 | } | |
512 | ||
513 | /* 5th byte offset is the value-size parameter */ | |
514 | if ((eap[5]) != 16) { | |
515 | return 1; | |
516 | } | |
517 | ||
518 | len -= 6; | |
519 | offset = 6; | |
520 | ||
521 | if (len <= 0) { | |
522 | return 1; | |
523 | } | |
524 | ||
525 | memcpy(em->response, (eap+offset), 16); | |
526 | em->respeapid = eaphdr->identifier; | |
527 | return 0; | |
528 | } | |
529 | ||
530 | int extract_eapsuccess(uint8_t *eap, int len, struct eapmd5pass_data *em) | |
531 | { | |
532 | struct eap_hdr *eaphdr; | |
533 | ||
534 | eaphdr = (struct eap_hdr *)eap; | |
535 | ||
536 | if (eaphdr->code == EAP_FAILURE) { | |
537 | /* Reset tracking values for next exchange */ | |
538 | eapmd5_nexttarget(em); | |
539 | } | |
540 | ||
541 | if (eaphdr->code == EAP_SUCCESS) { | |
542 | return 0; | |
543 | } | |
544 | ||
545 | return 1; | |
546 | } | |
547 | ||
548 | /* Called by signal SIGALRM */ | |
549 | void break_pcaploop() | |
550 | { | |
551 | if (__verbosity > 2) { | |
552 | printf("Calling pcap_breakloop.\n"); | |
553 | } | |
554 | pcap_breakloop(p); | |
555 | } | |
556 | ||
557 | ||
558 | ||
559 | int main(int argc, char *argv[]) | |
560 | { | |
561 | ||
562 | char errbuf[PCAP_ERRBUF_SIZE], iface[17], pcapfile[1024]; | |
563 | int opt=0, datalink=0, ret=0; | |
564 | extern struct eapmd5pass_data em; | |
565 | ||
566 | memset(&em, 0, sizeof(em)); | |
567 | memset(pcapfile, 0, sizeof(pcapfile)); | |
568 | ||
569 | printf("eapmd5pass - Dictionary attack against EAP-MD5\n"); | |
570 | while ((opt = getopt(argc, argv, "w:r:i:b:U:C:R:E:vVh?")) != -1) { | |
571 | switch(opt) { | |
572 | ||
573 | case 'i': | |
574 | /* Interface name */ | |
575 | strncpy(iface, optarg, sizeof(iface)-1); | |
576 | break; | |
577 | case 'w': | |
578 | /* word file */ | |
579 | strncpy(em.wordfile, optarg, sizeof(em.wordfile)-1); | |
580 | break; | |
581 | case 'r': | |
582 | /* Read from pcap file */ | |
583 | strncpy(pcapfile, optarg, sizeof(pcapfile)-1); | |
584 | break; | |
585 | case 'b': | |
586 | /* BSSID of target network */ | |
587 | if (str2mac(optarg, em.bssid) != 0) { | |
588 | fprintf(stderr, "Error parsing BSSID MAC " | |
589 | "address.\n"); | |
590 | usage(); | |
591 | return -1; | |
592 | } | |
593 | em.bssidset = 1; | |
594 | break; | |
595 | case 'C': | |
596 | if (strlen(optarg) != 47) { | |
597 | usage("Incorrect challenge input length " | |
598 | "specified.\n"); | |
599 | exit(1); | |
600 | } | |
601 | if (str2hex(optarg, em.challenge, | |
602 | sizeof(em.challenge)) < 0) { | |
603 | usage("Malformed value specified as " | |
604 | "challenge.\n"); | |
605 | exit(1); | |
606 | } | |
607 | em.chalfound=1; | |
608 | break; | |
609 | case 'R': | |
610 | if (strlen(optarg) != 47) { | |
611 | usage("Incorrect response input length " | |
612 | "specified.\n"); | |
613 | exit(1); | |
614 | } | |
615 | if (str2hex(optarg, em.response, | |
616 | sizeof(em.response)) < 0) { | |
617 | usage("Malformed value specified as " | |
618 | "response.\n"); | |
619 | exit(1); | |
620 | } | |
621 | em.respfound=1; | |
622 | break; | |
623 | case 'U': | |
624 | strncpy(em.username, optarg, sizeof(em.username)-1); | |
625 | em.namefound=1; | |
626 | break; | |
627 | case 'E': | |
628 | em.respeapid=atoi(optarg); | |
629 | em.eapid=1; | |
630 | break; | |
631 | case 'v': | |
632 | __verbosity++; | |
633 | break; | |
634 | case 'V': | |
635 | printf("eapmd5pass - 1.0\n$Id: eapmd5pass.c,v 1.4 2008/02/10 02:24:34 jwright Exp $\n"); | |
636 | return(0); | |
637 | break; | |
638 | default: | |
639 | usage(); | |
640 | return(-1); | |
641 | break; | |
642 | } | |
643 | } | |
644 | ||
645 | /* Register signal handlers */ | |
646 | signal(SIGINT, cleanexit); | |
647 | signal(SIGTERM, cleanexit); | |
648 | signal(SIGQUIT, cleanexit); | |
649 | ||
650 | ||
651 | /* Test for minimum number of arguments */ | |
652 | if (argc < 3) { | |
653 | usage(); | |
654 | return -1; | |
655 | } | |
656 | ||
657 | if (strlen(em.wordfile) < 1) { | |
658 | fprintf(stderr, "Must specify a dictionary file with -w.\n"); | |
659 | usage(); | |
660 | return -1; | |
661 | } | |
662 | ||
663 | if (em.namefound && em.chalfound && em.respfound && em.eapid) { | |
664 | /* User specified input parameters manually, assume success | |
665 | * and start cracking. | |
666 | */ | |
667 | em.succfound=1; | |
668 | eapmd5_attack(&em); | |
669 | return 0; | |
670 | } | |
671 | ||
672 | if (strlen(pcapfile) > 0) { | |
673 | /* User has specified a libpcap file for reading */ | |
674 | p = pcap_open_offline(pcapfile, errbuf); | |
675 | } else { | |
676 | p = pcap_open_live(iface, SNAPLEN, PROMISC, TIMEOUT, errbuf); | |
677 | } | |
678 | ||
679 | if (p == NULL) { | |
680 | fprintf(stderr, "Unable to open pcap device\n"); | |
681 | perror("pcap_open"); | |
682 | return -1; | |
683 | } | |
684 | ||
685 | /* Set non-blocking */ | |
686 | if (pcap_setnonblock(p, PCAP_DONOTBLOCK, errbuf) != 0) { | |
687 | fprintf(stderr, "Error placing pcap interface in non-blocking " | |
688 | "mode.\n"); | |
689 | perror("pcap_setnonblock"); | |
690 | pcap_close(p); | |
691 | return -1; | |
692 | } | |
693 | ||
694 | /* Examine header length to determine offset of the 802.11 header */ | |
695 | datalink = pcap_datalink(p); | |
696 | switch(datalink) { | |
697 | ||
698 | case DLT_IEEE802_11_RADIO: /* Variable length header */ | |
699 | offset = radiotap_offset(p, h); | |
700 | if (offset < sizeof(struct ieee80211_radiotap_header)) { | |
701 | fprintf(stderr, "Unable to determine offset from " | |
702 | "radiotap header (%d).\n", offset); | |
703 | usage(); | |
704 | return(-1); | |
705 | } | |
706 | break; | |
707 | ||
708 | case DLT_IEEE802_11: | |
709 | offset = DOT11_OFFSET_DOT11; | |
710 | break; | |
711 | ||
712 | case DLT_TZSP: | |
713 | offset = DOT11_OFFSET_TZSP; | |
714 | break; | |
715 | ||
716 | case DLT_PRISM_HEADER: | |
717 | offset = DOT11_OFFSET_PRISMAVS; | |
718 | break; | |
719 | ||
720 | default: | |
721 | fprintf(stderr, "Unrecognized datalink type %d.\n", datalink); | |
722 | usage(); | |
723 | return(-1); | |
724 | } | |
725 | ||
726 | /* Loop for each packet received */ | |
727 | signal(SIGALRM, break_pcaploop); | |
728 | ||
729 | /* We need a different routine for handling read from pcapfile vs. live | |
730 | interface, because pcap_dispatch returns 0 for EOF on pcapfile, or | |
731 | no packets retrieved due to blocking on a live interface */ | |
732 | if (strlen(pcapfile) > 0) { | |
733 | ret = pcap_dispatch(p, PCAP_LOOP_CNT, | |
734 | (pcap_handler)assess_packet, (u_char *)&em); | |
735 | if (ret != 0) { | |
736 | /* Error reading from packet capture file */ | |
737 | fprintf(stderr, "pcap_dispatch: %s\n", pcap_geterr(p)); | |
738 | return -1; | |
739 | } | |
740 | ||
741 | } else { /* live packet capture */ | |
742 | ||
743 | while(1) { | |
744 | ret = pcap_dispatch(p, PCAP_LOOP_CNT, | |
745 | (pcap_handler)assess_packet, | |
746 | (u_char *)&em); | |
747 | if (ret == 0) { | |
748 | /* No packets read, sleep and continue */ | |
749 | usleep(250000); | |
750 | continue; | |
751 | } else if (ret == -1) { | |
752 | fprintf(stderr, "pcap_loop: %s", | |
753 | pcap_geterr(p)); | |
754 | break; | |
755 | } else if (ret == -2) { | |
756 | /* returned -2, pcap_breakloop called */ | |
757 | break; | |
758 | } else { | |
759 | /* Packet retrieved successfully, continue */ | |
760 | continue; | |
761 | } | |
762 | } | |
763 | } | |
764 | ||
765 | if (__verbosity) { | |
766 | printf("Total packets observed: %ld\n", pcount); | |
767 | } | |
768 | ||
769 | pcap_close(p); | |
770 | ||
771 | if (em.recovered_pass > 0) { | |
772 | return 0; | |
773 | } else { | |
774 | return 1; | |
775 | } | |
776 | ||
777 | } |
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | #ifndef EAPMD5PASS_H | |
14 | #define EAPMD5PASS_H | |
15 | ||
16 | #define DOT11_OFFSET_DOT11 0 | |
17 | #define DOT11_OFFSET_TZSP 29 | |
18 | #define DOT11_OFFSET_PRISMAVS 144 | |
19 | ||
20 | #define PCAP_DONOTBLOCK 1 | |
21 | ||
22 | #define IEEE802_MACLEN 6 | |
23 | ||
24 | #define PCAP_LOOP_CNT -1 | |
25 | ||
26 | #define SNAPLEN 2312 | |
27 | #define PROMISC 1 | |
28 | #define TIMEOUT 500 | |
29 | ||
30 | struct eapmd5pass_data { | |
31 | uint8_t bssid[6]; | |
32 | char wordfile[1024]; | |
33 | unsigned int mcastid; | |
34 | uint8_t bssidset; | |
35 | int recovered_pass; | |
36 | ||
37 | /* Parser tracking values */ | |
38 | uint8_t namefound; | |
39 | uint8_t chalfound; | |
40 | uint8_t respfound; | |
41 | uint8_t succfound; | |
42 | uint8_t eapid; | |
43 | ||
44 | /* Extracted from EAP-MD5 exchange */ | |
45 | char username[64]; | |
46 | uint8_t challenge[16]; | |
47 | uint8_t response[16]; | |
48 | uint8_t respeapid; | |
49 | ||
50 | }; | |
51 | ||
52 | ||
53 | void cleanexit(); | |
54 | void usage(); | |
55 | int radiotap_offset(pcap_t *p, struct pcap_pkthdr *h); | |
56 | void assess_packet(char *user, struct pcap_pkthdr *h, u_int8_t *pkt); | |
57 | void eapmd5_nexttarget(struct eapmd5pass_data *em); | |
58 | int extract_eapusername(uint8_t *eap, int eaplen, struct eapmd5pass_data *em); | |
59 | int extract_eapchallenge(uint8_t *eap, int eaplen, struct eapmd5pass_data *em); | |
60 | int extract_eapresponse(uint8_t *eap, int eaplen, struct eapmd5pass_data *em); | |
61 | int extract_eapsuccess(uint8_t *eap, int eaplen, struct eapmd5pass_data *em); | |
62 | void break_pcaploop(); | |
63 | int main(int argc, char *argv[]); | |
64 | void eapmd5_attack(struct eapmd5pass_data *em); | |
65 | ||
66 | #endif |
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | #ifndef IEEE80211_H | |
14 | #define IEEE80211_H | |
15 | ||
16 | #define DOT11HDR_A1_LEN 10 | |
17 | #define DOT11HDR_A3_LEN 24 | |
18 | #define DOT11HDR_A4_LEN 30 | |
19 | #define DOT11HDR_MAC_LEN 6 | |
20 | #define DOT11HDR_MINLEN DOT11HDR_A1_LEN | |
21 | ||
22 | #define DOT11_FC_TYPE_MGMT 0 | |
23 | #define DOT11_FC_TYPE_CTRL 1 | |
24 | #define DOT11_FC_TYPE_DATA 2 | |
25 | ||
26 | #define DOT11_FC_SUBTYPE_ASSOCREQ 0 | |
27 | #define DOT11_FC_SUBTYPE_ASSOCRESP 1 | |
28 | #define DOT11_FC_SUBTYPE_REASSOCREQ 2 | |
29 | #define DOT11_FC_SUBTYPE_REASSOCRESP 3 | |
30 | #define DOT11_FC_SUBTYPE_PROBEREQ 4 | |
31 | #define DOT11_FC_SUBTYPE_PROBERESP 5 | |
32 | #define DOT11_FC_SUBTYPE_BEACON 8 | |
33 | #define DOT11_FC_SUBTYPE_ATIM 9 | |
34 | #define DOT11_FC_SUBTYPE_DISASSOC 10 | |
35 | #define DOT11_FC_SUBTYPE_AUTH 11 | |
36 | #define DOT11_FC_SUBTYPE_DEAUTH 12 | |
37 | ||
38 | #define DOT11_FC_SUBTYPE_PSPOLL 10 | |
39 | #define DOT11_FC_SUBTYPE_RTS 11 | |
40 | #define DOT11_FC_SUBTYPE_CTS 12 | |
41 | #define DOT11_FC_SUBTYPE_ACK 13 | |
42 | #define DOT11_FC_SUBTYPE_CFEND 14 | |
43 | #define DOT11_FC_SUBTYPE_CFENDACK 15 | |
44 | ||
45 | #define DOT11_FC_SUBTYPE_DATA 0 | |
46 | #define DOT11_FC_SUBTYPE_DATACFACK 1 | |
47 | #define DOT11_FC_SUBTYPE_DATACFPOLL 2 | |
48 | #define DOT11_FC_SUBTYPE_DATACFACKPOLL 3 | |
49 | #define DOT11_FC_SUBTYPE_DATANULL 4 | |
50 | #define DOT11_FC_SUBTYPE_CFACK 5 | |
51 | #define DOT11_FC_SUBTYPE_CFACKPOLL 6 | |
52 | #define DOT11_FC_SUBTYPE_CFACKPOLLNODATA 7 | |
53 | #define DOT11_FC_SUBTYPE_QOSDATA 8 | |
54 | /* 9 - 11 reserved as of 11/7/2005 - JWRIGHT */ | |
55 | #define DOT11_FC_SUBTYPE_QOSNULL 12 | |
56 | ||
57 | struct dot11hdr { | |
58 | union { | |
59 | struct { | |
60 | uint8_t version:2; | |
61 | uint8_t type:2; | |
62 | uint8_t subtype:4; | |
63 | uint8_t to_ds:1; | |
64 | uint8_t from_ds:1; | |
65 | uint8_t more_frag:1; | |
66 | uint8_t retry:1; | |
67 | uint8_t pwrmgmt:1; | |
68 | uint8_t more_data:1; | |
69 | uint8_t protected:1; | |
70 | uint8_t order:1; | |
71 | } __attribute__ ((packed)) fc; | |
72 | ||
73 | uint16_t fchdr; | |
74 | } u1; | |
75 | ||
76 | uint16_t duration; | |
77 | uint8_t addr1[6]; | |
78 | uint8_t addr2[6]; | |
79 | uint8_t addr3[6]; | |
80 | ||
81 | union { | |
82 | struct { | |
83 | uint16_t fragment:4; | |
84 | uint16_t sequence:12; | |
85 | } __attribute__ ((packed)) seq; | |
86 | ||
87 | uint16_t seqhdr; | |
88 | } u2; | |
89 | ||
90 | } __attribute__ ((packed)); | |
91 | ||
92 | #define dot11hdra3 dot11hdr | |
93 | #define ieee80211 dot11hdr | |
94 | ||
95 | struct ieee80211_qos { | |
96 | uint8_t priority:3; | |
97 | uint8_t reserved3:1; | |
98 | uint8_t eosp:1; | |
99 | uint8_t ackpol:2; | |
100 | uint8_t reserved1:1; | |
101 | uint8_t reserved2; | |
102 | } __attribute__ ((packed)); | |
103 | #define DOT11HDR_QOS_LEN 2 | |
104 | ||
105 | ||
106 | struct ieee8022 { | |
107 | uint8_t dsap; | |
108 | uint8_t ssap; | |
109 | uint8_t control; | |
110 | uint8_t oui[3]; | |
111 | uint16_t type; | |
112 | } __attribute__ ((packed)); | |
113 | #define DOT2HDR_LEN sizeof(struct ieee8022) | |
114 | ||
115 | #define IEEE8022_SNAP 0xaa | |
116 | #define IEEE8022_TYPE_IP 0x0800 | |
117 | #define IEEE8022_TYPE_DOT1X 0x888e | |
118 | #define IEEE8022_TYPE_ARP 0x0806 | |
119 | ||
120 | ||
121 | #endif |
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | #ifndef IEEE8021X_H | |
14 | #define IEEE8021X_H | |
15 | ||
16 | /* The 802.1X header indicates a version, type and length */ | |
17 | struct ieee8021x { | |
18 | uint8_t version; | |
19 | uint8_t type; | |
20 | uint16_t len; | |
21 | } __attribute__ ((packed)); | |
22 | #define DOT1XHDR_LEN sizeof(struct ieee8021x) | |
23 | ||
24 | #define DOT1X_VERSION1 1 | |
25 | #define DOT1X_VERSION2 2 | |
26 | #define DOT1X_TYPE_EAP 0 | |
27 | ||
28 | #endif |
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | #ifndef IETFPROTO_H | |
14 | #define IETFPROTO_H | |
15 | ||
16 | /* EAP message constants */ | |
17 | #define EAP_REQUEST 1 | |
18 | #define EAP_RESPONSE 2 | |
19 | #define EAP_SUCCESS 3 | |
20 | #define EAP_FAILURE 4 | |
21 | ||
22 | /* EAP types, more at http://www.iana.org/assignments/eap-numbers */ | |
23 | #define EAP_TYPE_EAP 0 | |
24 | #define EAP_TYPE_ID 1 | |
25 | #define EAP_TYPE_MD5 4 | |
26 | ||
27 | struct eap_hdr { | |
28 | uint8_t code; /* 1=request, 2=response, 3=success, 4=failure? */ | |
29 | uint8_t identifier; | |
30 | uint16_t length; /* Length of the entire EAP message */ | |
31 | ||
32 | /* The following fields may not be present in all EAP frames */ | |
33 | uint8_t type; | |
34 | uint8_t flags; | |
35 | uint32_t totallen; | |
36 | } __attribute__ ((packed)); | |
37 | #define EAPHDR_MIN_LEN 4 | |
38 | ||
39 | #endif |
0 | /* $FreeBSD: src/sys/net80211/ieee80211_radiotap.h,v 1.5 2005/01/22 20:12:05 sam Exp $ */ | |
1 | /* $NetBSD: ieee80211_radiotap.h,v 1.11 2005/06/22 06:16:02 dyoung Exp $ */ | |
2 | ||
3 | /*- | |
4 | * Copyright (c) 2003, 2004 David Young. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * 3. The name of David Young may not be used to endorse or promote | |
15 | * products derived from this software without specific prior | |
16 | * written permission. | |
17 | * | |
18 | * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY | |
19 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, | |
20 | * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A | |
21 | * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID | |
22 | * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | |
23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED | |
24 | * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
25 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | |
26 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY | |
29 | * OF SUCH DAMAGE. | |
30 | */ | |
31 | ||
32 | #ifndef RADIOTAP_H | |
33 | #define RADIOTAP_H | |
34 | ||
35 | /* Kluge the radiotap linktype for now if we don't have it */ | |
36 | #ifndef LNX_ARPHRD_IEEE80211_RADIOTAP | |
37 | #define LNX_ARPHRD_IEEE80211_RADIOTAP 803 | |
38 | #endif | |
39 | ||
40 | /* Radiotap header version (from official NetBSD feed) */ | |
41 | #define IEEE80211RADIOTAP_VERSION "1.5" | |
42 | /* Base version of the radiotap packet header data */ | |
43 | #define PKTHDR_RADIOTAP_VERSION 0 | |
44 | ||
45 | /* The radio capture header precedes the 802.11 header. */ | |
46 | struct ieee80211_radiotap_header { | |
47 | u_int8_t it_version; /* Version 0. Only increases | |
48 | * for drastic changes, | |
49 | * introduction of compatible | |
50 | * new fields does not count. | |
51 | */ | |
52 | u_int8_t it_pad; | |
53 | u_int16_t it_len; /* length of the whole | |
54 | * header in bytes, including | |
55 | * int_version, it_pad, | |
56 | * it_len, and data fields. | |
57 | */ | |
58 | u_int32_t it_present; /* A bitmap telling which | |
59 | * fields are present. Set bit 31 | |
60 | * (0x80000000) to extend the | |
61 | * bitmap by another 32 bits. | |
62 | * Additional extensions are made | |
63 | * by setting bit 31. | |
64 | */ | |
65 | }; | |
66 | ||
67 | /* Name Data type Units | |
68 | * ---- --------- ----- | |
69 | * | |
70 | * IEEE80211_RADIOTAP_TSFT u_int64_t microseconds | |
71 | * | |
72 | * Value in microseconds of the MAC's 64-bit 802.11 Time | |
73 | * Synchronization Function timer when the first bit of the | |
74 | * MPDU arrived at the MAC. For received frames, only. | |
75 | * | |
76 | * IEEE80211_RADIOTAP_CHANNEL 2 x u_int16_t MHz, bitmap | |
77 | * | |
78 | * Tx/Rx frequency in MHz, followed by flags (see below). | |
79 | * | |
80 | * IEEE80211_RADIOTAP_FHSS u_int16_t see below | |
81 | * | |
82 | * For frequency-hopping radios, the hop set (first byte) | |
83 | * and pattern (second byte). | |
84 | * | |
85 | * IEEE80211_RADIOTAP_RATE u_int8_t 500kb/s | |
86 | * | |
87 | * Tx/Rx data rate | |
88 | * | |
89 | * IEEE80211_RADIOTAP_DBM_ANTSIGNAL int8_t decibels from | |
90 | * one milliwatt (dBm) | |
91 | * | |
92 | * RF signal power at the antenna, decibel difference from | |
93 | * one milliwatt. | |
94 | * | |
95 | * IEEE80211_RADIOTAP_DBM_ANTNOISE int8_t decibels from | |
96 | * one milliwatt (dBm) | |
97 | * | |
98 | * RF noise power at the antenna, decibel difference from one | |
99 | * milliwatt. | |
100 | * | |
101 | * IEEE80211_RADIOTAP_DB_ANTSIGNAL u_int8_t decibel (dB) | |
102 | * | |
103 | * RF signal power at the antenna, decibel difference from an | |
104 | * arbitrary, fixed reference. | |
105 | * | |
106 | * IEEE80211_RADIOTAP_DB_ANTNOISE u_int8_t decibel (dB) | |
107 | * | |
108 | * RF noise power at the antenna, decibel difference from an | |
109 | * arbitrary, fixed reference point. | |
110 | * | |
111 | * IEEE80211_RADIOTAP_LOCK_QUALITY u_int16_t unitless | |
112 | * | |
113 | * Quality of Barker code lock. Unitless. Monotonically | |
114 | * nondecreasing with "better" lock strength. Called "Signal | |
115 | * Quality" in datasheets. (Is there a standard way to measure | |
116 | * this?) | |
117 | * | |
118 | * IEEE80211_RADIOTAP_TX_ATTENUATION u_int16_t unitless | |
119 | * | |
120 | * Transmit power expressed as unitless distance from max | |
121 | * power set at factory calibration. 0 is max power. | |
122 | * Monotonically nondecreasing with lower power levels. | |
123 | * | |
124 | * IEEE80211_RADIOTAP_DB_TX_ATTENUATION u_int16_t decibels (dB) | |
125 | * | |
126 | * Transmit power expressed as decibel distance from max power | |
127 | * set at factory calibration. 0 is max power. Monotonically | |
128 | * nondecreasing with lower power levels. | |
129 | * | |
130 | * IEEE80211_RADIOTAP_DBM_TX_POWER int8_t decibels from | |
131 | * one milliwatt (dBm) | |
132 | * | |
133 | * Transmit power expressed as dBm (decibels from a 1 milliwatt | |
134 | * reference). This is the absolute power level measured at | |
135 | * the antenna port. | |
136 | * | |
137 | * IEEE80211_RADIOTAP_FLAGS u_int8_t bitmap | |
138 | * | |
139 | * Properties of transmitted and received frames. See flags | |
140 | * defined below. | |
141 | * | |
142 | * IEEE80211_RADIOTAP_ANTENNA u_int8_t antenna index | |
143 | * | |
144 | * Unitless indication of the Rx/Tx antenna for this packet. | |
145 | * The first antenna is antenna 0. | |
146 | * | |
147 | * IEEE80211_RADIOTAP_FCS u_int32_t data | |
148 | * | |
149 | * FCS from frame in network byte order. | |
150 | */ | |
151 | enum ieee80211_radiotap_type { | |
152 | IEEE80211_RADIOTAP_TSFT = 0, | |
153 | IEEE80211_RADIOTAP_FLAGS = 1, | |
154 | IEEE80211_RADIOTAP_RATE = 2, | |
155 | IEEE80211_RADIOTAP_CHANNEL = 3, | |
156 | IEEE80211_RADIOTAP_FHSS = 4, | |
157 | IEEE80211_RADIOTAP_DBM_ANTSIGNAL = 5, | |
158 | IEEE80211_RADIOTAP_DBM_ANTNOISE = 6, | |
159 | IEEE80211_RADIOTAP_LOCK_QUALITY = 7, | |
160 | IEEE80211_RADIOTAP_TX_ATTENUATION = 8, | |
161 | IEEE80211_RADIOTAP_DB_TX_ATTENUATION = 9, | |
162 | IEEE80211_RADIOTAP_DBM_TX_POWER = 10, | |
163 | IEEE80211_RADIOTAP_ANTENNA = 11, | |
164 | IEEE80211_RADIOTAP_DB_ANTSIGNAL = 12, | |
165 | IEEE80211_RADIOTAP_DB_ANTNOISE = 13, | |
166 | IEEE80211_RADIOTAP_FCS = 14, | |
167 | IEEE80211_RADIOTAP_EXT = 31, | |
168 | }; | |
169 | ||
170 | /* Channel flags. */ | |
171 | #define IEEE80211_CHAN_TURBO 0x0010 /* Turbo channel */ | |
172 | #define IEEE80211_CHAN_CCK 0x0020 /* CCK channel */ | |
173 | #define IEEE80211_CHAN_OFDM 0x0040 /* OFDM channel */ | |
174 | #define IEEE80211_CHAN_2GHZ 0x0080 /* 2 GHz spectrum channel. */ | |
175 | #define IEEE80211_CHAN_5GHZ 0x0100 /* 5 GHz spectrum channel */ | |
176 | #define IEEE80211_CHAN_PASSIVE 0x0200 /* Only passive scan allowed */ | |
177 | #define IEEE80211_CHAN_DYN 0x0400 /* Dynamic CCK-OFDM channel */ | |
178 | #define IEEE80211_CHAN_GFSK 0x0800 /* GFSK channel (FHSS PHY) */ | |
179 | ||
180 | /* For IEEE80211_RADIOTAP_FLAGS */ | |
181 | #define IEEE80211_RADIOTAP_F_CFP 0x01 /* sent/received | |
182 | * during CFP | |
183 | */ | |
184 | #define IEEE80211_RADIOTAP_F_SHORTPRE 0x02 /* sent/received | |
185 | * with short | |
186 | * preamble | |
187 | */ | |
188 | #define IEEE80211_RADIOTAP_F_WEP 0x04 /* sent/received | |
189 | * with WEP encryption | |
190 | */ | |
191 | #define IEEE80211_RADIOTAP_F_FRAG 0x08 /* sent/received | |
192 | * with fragmentation | |
193 | */ | |
194 | #define IEEE80211_RADIOTAP_F_FCS 0x10 /* frame includes FCS */ | |
195 | #define IEEE80211_RADIOTAP_F_DATAPAD 0x20 /* frame has padding between | |
196 | * 802.11 header and payload | |
197 | * (to 32-bit boundary) | |
198 | */ | |
199 | ||
200 | /* Ugly macro to convert literal channel numbers into their mhz equivalents | |
201 | * There are certianly some conditions that will break this (like feeding it '30') | |
202 | * but they shouldn't arise since nothing talks on channel 30. */ | |
203 | #define ieee80211chan2mhz(x) \ | |
204 | (((x) <= 14) ? \ | |
205 | (((x) == 14) ? 2484 : ((x) * 5) + 2407) : \ | |
206 | ((x) + 1000) * 5) | |
207 | ||
208 | #endif /* RADIOTAP_H */ | |
209 |
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | #include <stdlib.h> | |
14 | #include <stdio.h> | |
15 | #include <stdarg.h> | |
16 | #include <string.h> | |
17 | #include <stdint.h> | |
18 | #include <crypt.h> | |
19 | #include <unistd.h> | |
20 | #include <ctype.h> | |
21 | #include <netinet/in.h> /* for ntohs() */ | |
22 | #include <errno.h> | |
23 | #include <sys/types.h> | |
24 | #include "utils.h" | |
25 | ||
26 | void lamont_hdump(unsigned char *bp, unsigned int length); | |
27 | char *printmac(unsigned char *mac); | |
28 | ||
29 | /* A better version of hdump, from Lamont Granquist. Modified slightly | |
30 | by Fyodor ([email protected]) */ | |
31 | void lamont_hdump(unsigned char *bp, unsigned int length) | |
32 | { | |
33 | ||
34 | /* stolen from tcpdump, then kludged extensively */ | |
35 | ||
36 | static const char asciify[] = | |
37 | "................................ !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................."; | |
38 | ||
39 | const unsigned short *sp; | |
40 | const unsigned char *ap; | |
41 | unsigned int i, j; | |
42 | int nshorts, nshorts2; | |
43 | int padding; | |
44 | ||
45 | printf("\n\t"); | |
46 | padding = 0; | |
47 | sp = (unsigned short *)bp; | |
48 | ap = (unsigned char *)bp; | |
49 | nshorts = (unsigned int)length / sizeof(unsigned short); | |
50 | nshorts2 = (unsigned int)length / sizeof(unsigned short); | |
51 | i = 0; | |
52 | j = 0; | |
53 | while (1) { | |
54 | while (--nshorts >= 0) { | |
55 | printf(" %04x", ntohs(*sp)); | |
56 | sp++; | |
57 | if ((++i % 8) == 0) | |
58 | break; | |
59 | } | |
60 | if (nshorts < 0) { | |
61 | if ((length & 1) && (((i - 1) % 8) != 0)) { | |
62 | printf(" %02x ", *(unsigned char *)sp); | |
63 | padding++; | |
64 | } | |
65 | nshorts = (8 - (nshorts2 - nshorts)); | |
66 | while (--nshorts >= 0) { | |
67 | printf(" "); | |
68 | } | |
69 | if (!padding) | |
70 | printf(" "); | |
71 | } | |
72 | printf(" "); | |
73 | ||
74 | while (--nshorts2 >= 0) { | |
75 | printf("%c%c", asciify[*ap], asciify[*(ap + 1)]); | |
76 | ap += 2; | |
77 | if ((++j % 8) == 0) { | |
78 | printf("\n\t"); | |
79 | break; | |
80 | } | |
81 | } | |
82 | if (nshorts2 < 0) { | |
83 | if ((length & 1) && (((j - 1) % 8) != 0)) { | |
84 | printf("%c", asciify[*ap]); | |
85 | } | |
86 | break; | |
87 | } | |
88 | } | |
89 | if ((length & 1) && (((i - 1) % 8) == 0)) { | |
90 | printf(" %02x", *(unsigned char *)sp); | |
91 | printf(" %c", | |
92 | asciify[*ap]); | |
93 | } | |
94 | printf("\n"); | |
95 | } | |
96 | ||
97 | int str2mac(char *string, uint8_t *mac) | |
98 | { | |
99 | ||
100 | char *ptr, *next; | |
101 | unsigned long val; | |
102 | int i; | |
103 | ||
104 | to_upper(string); | |
105 | ||
106 | ptr = next = string; | |
107 | for (i = 0; i < 6; i++) { | |
108 | if ((val = strtoul(next, &ptr, 16)) > 255) { | |
109 | return (-1); | |
110 | } | |
111 | mac[i] = (uint8_t) val; | |
112 | if ((next == ptr) && (i != 6 - 1)) { | |
113 | return (-1); | |
114 | } | |
115 | next = ptr + 1; | |
116 | } | |
117 | ||
118 | return (0); | |
119 | } | |
120 | ||
121 | void to_upper (char *s) | |
122 | { | |
123 | ||
124 | char *p; | |
125 | char offset; | |
126 | ||
127 | offset = 'A' - 'a'; | |
128 | for (p = s; *p != '\0'; p++) { | |
129 | if (islower(*p)) { | |
130 | *p += offset; | |
131 | } | |
132 | } | |
133 | } | |
134 | ||
135 | ||
136 | int str2hex (char *string, uint8_t *hexstr, int len) | |
137 | { | |
138 | char *ptr, *next; | |
139 | unsigned long val; | |
140 | int i; | |
141 | ||
142 | ptr = next = string; | |
143 | for(i=0;i < len;i++) { | |
144 | if((val = strtoul(next, &ptr, 16)) > 255) { | |
145 | errno = EINVAL; | |
146 | return(-1); | |
147 | } | |
148 | hexstr[i] = (unsigned int)val; | |
149 | if((next == ptr) && (i != len - 1)) { | |
150 | errno = EINVAL; | |
151 | return(-1); | |
152 | } | |
153 | next = ptr + 1; | |
154 | } | |
155 | ||
156 | return(1); | |
157 | } |
0 | /* Copyright (c) 2007, Joshua Wright <[email protected]> | |
1 | * | |
2 | * This program is free software; you can redistribute it and/or modify | |
3 | * it under the terms of the GNU General Public License version 2 as | |
4 | * published by the Free Software Foundation. See COPYING for more | |
5 | * details. | |
6 | * | |
7 | * This software is distributed in the hope that it will be useful, | |
8 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
9 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
10 | * GNU General Public License for more details. | |
11 | */ | |
12 | ||
13 | /* Prototypes */ | |
14 | void lamont_hdump(unsigned char *bp, unsigned int length); | |
15 | int str2mac(char *string, uint8_t *mac); | |
16 | void to_upper (char *s); | |
17 | int str2hex (char *string, uint8_t *hexstr, int len); |