Codebase list eapmd5pass / upstream/latest
Imported Upstream version 1.4 Devon Kearns 11 years ago
16 changed file(s) with 1929 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+340
-0
COPYING less more
0 GNU GENERAL PUBLIC LICENSE
1 Version 2, June 1991
2
3 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
4 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
5 Everyone is permitted to copy and distribute verbatim copies
6 of this license document, but changing it is not allowed.
7
8 Preamble
9
10 The licenses for most software are designed to take away your
11 freedom to share and change it. By contrast, the GNU General Public
12 License is intended to guarantee your freedom to share and change free
13 software--to make sure the software is free for all its users. This
14 General Public License applies to most of the Free Software
15 Foundation's software and to any other program whose authors commit to
16 using it. (Some other Free Software Foundation software is covered by
17 the GNU Library General Public License instead.) You can apply it to
18 your programs, too.
19
20 When we speak of free software, we are referring to freedom, not
21 price. Our General Public Licenses are designed to make sure that you
22 have the freedom to distribute copies of free software (and charge for
23 this service if you wish), that you receive source code or can get it
24 if you want it, that you can change the software or use pieces of it
25 in new free programs; and that you know you can do these things.
26
27 To protect your rights, we need to make restrictions that forbid
28 anyone to deny you these rights or to ask you to surrender the rights.
29 These restrictions translate to certain responsibilities for you if you
30 distribute copies of the software, or if you modify it.
31
32 For example, if you distribute copies of such a program, whether
33 gratis or for a fee, you must give the recipients all the rights that
34 you have. You must make sure that they, too, receive or can get the
35 source code. And you must show them these terms so they know their
36 rights.
37
38 We protect your rights with two steps: (1) copyright the software, and
39 (2) offer you this license which gives you legal permission to copy,
40 distribute and/or modify the software.
41
42 Also, for each author's protection and ours, we want to make certain
43 that everyone understands that there is no warranty for this free
44 software. If the software is modified by someone else and passed on, we
45 want its recipients to know that what they have is not the original, so
46 that any problems introduced by others will not reflect on the original
47 authors' reputations.
48
49 Finally, any free program is threatened constantly by software
50 patents. We wish to avoid the danger that redistributors of a free
51 program will individually obtain patent licenses, in effect making the
52 program proprietary. To prevent this, we have made it clear that any
53 patent must be licensed for everyone's free use or not licensed at all.
54
55 The precise terms and conditions for copying, distribution and
56 modification follow.
57
58 GNU GENERAL PUBLIC LICENSE
59 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
60
61 0. This License applies to any program or other work which contains
62 a notice placed by the copyright holder saying it may be distributed
63 under the terms of this General Public License. The "Program", below,
64 refers to any such program or work, and a "work based on the Program"
65 means either the Program or any derivative work under copyright law:
66 that is to say, a work containing the Program or a portion of it,
67 either verbatim or with modifications and/or translated into another
68 language. (Hereinafter, translation is included without limitation in
69 the term "modification".) Each licensee is addressed as "you".
70
71 Activities other than copying, distribution and modification are not
72 covered by this License; they are outside its scope. The act of
73 running the Program is not restricted, and the output from the Program
74 is covered only if its contents constitute a work based on the
75 Program (independent of having been made by running the Program).
76 Whether that is true depends on what the Program does.
77
78 1. You may copy and distribute verbatim copies of the Program's
79 source code as you receive it, in any medium, provided that you
80 conspicuously and appropriately publish on each copy an appropriate
81 copyright notice and disclaimer of warranty; keep intact all the
82 notices that refer to this License and to the absence of any warranty;
83 and give any other recipients of the Program a copy of this License
84 along with the Program.
85
86 You may charge a fee for the physical act of transferring a copy, and
87 you may at your option offer warranty protection in exchange for a fee.
88
89 2. You may modify your copy or copies of the Program or any portion
90 of it, thus forming a work based on the Program, and copy and
91 distribute such modifications or work under the terms of Section 1
92 above, provided that you also meet all of these conditions:
93
94 a) You must cause the modified files to carry prominent notices
95 stating that you changed the files and the date of any change.
96
97 b) You must cause any work that you distribute or publish, that in
98 whole or in part contains or is derived from the Program or any
99 part thereof, to be licensed as a whole at no charge to all third
100 parties under the terms of this License.
101
102 c) If the modified program normally reads commands interactively
103 when run, you must cause it, when started running for such
104 interactive use in the most ordinary way, to print or display an
105 announcement including an appropriate copyright notice and a
106 notice that there is no warranty (or else, saying that you provide
107 a warranty) and that users may redistribute the program under
108 these conditions, and telling the user how to view a copy of this
109 License. (Exception: if the Program itself is interactive but
110 does not normally print such an announcement, your work based on
111 the Program is not required to print an announcement.)
112
113 These requirements apply to the modified work as a whole. If
114 identifiable sections of that work are not derived from the Program,
115 and can be reasonably considered independent and separate works in
116 themselves, then this License, and its terms, do not apply to those
117 sections when you distribute them as separate works. But when you
118 distribute the same sections as part of a whole which is a work based
119 on the Program, the distribution of the whole must be on the terms of
120 this License, whose permissions for other licensees extend to the
121 entire whole, and thus to each and every part regardless of who wrote it.
122
123 Thus, it is not the intent of this section to claim rights or contest
124 your rights to work written entirely by you; rather, the intent is to
125 exercise the right to control the distribution of derivative or
126 collective works based on the Program.
127
128 In addition, mere aggregation of another work not based on the Program
129 with the Program (or with a work based on the Program) on a volume of
130 a storage or distribution medium does not bring the other work under
131 the scope of this License.
132
133 3. You may copy and distribute the Program (or a work based on it,
134 under Section 2) in object code or executable form under the terms of
135 Sections 1 and 2 above provided that you also do one of the following:
136
137 a) Accompany it with the complete corresponding machine-readable
138 source code, which must be distributed under the terms of Sections
139 1 and 2 above on a medium customarily used for software interchange; or,
140
141 b) Accompany it with a written offer, valid for at least three
142 years, to give any third party, for a charge no more than your
143 cost of physically performing source distribution, a complete
144 machine-readable copy of the corresponding source code, to be
145 distributed under the terms of Sections 1 and 2 above on a medium
146 customarily used for software interchange; or,
147
148 c) Accompany it with the information you received as to the offer
149 to distribute corresponding source code. (This alternative is
150 allowed only for noncommercial distribution and only if you
151 received the program in object code or executable form with such
152 an offer, in accord with Subsection b above.)
153
154 The source code for a work means the preferred form of the work for
155 making modifications to it. For an executable work, complete source
156 code means all the source code for all modules it contains, plus any
157 associated interface definition files, plus the scripts used to
158 control compilation and installation of the executable. However, as a
159 special exception, the source code distributed need not include
160 anything that is normally distributed (in either source or binary
161 form) with the major components (compiler, kernel, and so on) of the
162 operating system on which the executable runs, unless that component
163 itself accompanies the executable.
164
165 If distribution of executable or object code is made by offering
166 access to copy from a designated place, then offering equivalent
167 access to copy the source code from the same place counts as
168 distribution of the source code, even though third parties are not
169 compelled to copy the source along with the object code.
170
171 4. You may not copy, modify, sublicense, or distribute the Program
172 except as expressly provided under this License. Any attempt
173 otherwise to copy, modify, sublicense or distribute the Program is
174 void, and will automatically terminate your rights under this License.
175 However, parties who have received copies, or rights, from you under
176 this License will not have their licenses terminated so long as such
177 parties remain in full compliance.
178
179 5. You are not required to accept this License, since you have not
180 signed it. However, nothing else grants you permission to modify or
181 distribute the Program or its derivative works. These actions are
182 prohibited by law if you do not accept this License. Therefore, by
183 modifying or distributing the Program (or any work based on the
184 Program), you indicate your acceptance of this License to do so, and
185 all its terms and conditions for copying, distributing or modifying
186 the Program or works based on it.
187
188 6. Each time you redistribute the Program (or any work based on the
189 Program), the recipient automatically receives a license from the
190 original licensor to copy, distribute or modify the Program subject to
191 these terms and conditions. You may not impose any further
192 restrictions on the recipients' exercise of the rights granted herein.
193 You are not responsible for enforcing compliance by third parties to
194 this License.
195
196 7. If, as a consequence of a court judgment or allegation of patent
197 infringement or for any other reason (not limited to patent issues),
198 conditions are imposed on you (whether by court order, agreement or
199 otherwise) that contradict the conditions of this License, they do not
200 excuse you from the conditions of this License. If you cannot
201 distribute so as to satisfy simultaneously your obligations under this
202 License and any other pertinent obligations, then as a consequence you
203 may not distribute the Program at all. For example, if a patent
204 license would not permit royalty-free redistribution of the Program by
205 all those who receive copies directly or indirectly through you, then
206 the only way you could satisfy both it and this License would be to
207 refrain entirely from distribution of the Program.
208
209 If any portion of this section is held invalid or unenforceable under
210 any particular circumstance, the balance of the section is intended to
211 apply and the section as a whole is intended to apply in other
212 circumstances.
213
214 It is not the purpose of this section to induce you to infringe any
215 patents or other property right claims or to contest validity of any
216 such claims; this section has the sole purpose of protecting the
217 integrity of the free software distribution system, which is
218 implemented by public license practices. Many people have made
219 generous contributions to the wide range of software distributed
220 through that system in reliance on consistent application of that
221 system; it is up to the author/donor to decide if he or she is willing
222 to distribute software through any other system and a licensee cannot
223 impose that choice.
224
225 This section is intended to make thoroughly clear what is believed to
226 be a consequence of the rest of this License.
227
228 8. If the distribution and/or use of the Program is restricted in
229 certain countries either by patents or by copyrighted interfaces, the
230 original copyright holder who places the Program under this License
231 may add an explicit geographical distribution limitation excluding
232 those countries, so that distribution is permitted only in or among
233 countries not thus excluded. In such case, this License incorporates
234 the limitation as if written in the body of this License.
235
236 9. The Free Software Foundation may publish revised and/or new versions
237 of the General Public License from time to time. Such new versions will
238 be similar in spirit to the present version, but may differ in detail to
239 address new problems or concerns.
240
241 Each version is given a distinguishing version number. If the Program
242 specifies a version number of this License which applies to it and "any
243 later version", you have the option of following the terms and conditions
244 either of that version or of any later version published by the Free
245 Software Foundation. If the Program does not specify a version number of
246 this License, you may choose any version ever published by the Free Software
247 Foundation.
248
249 10. If you wish to incorporate parts of the Program into other free
250 programs whose distribution conditions are different, write to the author
251 to ask for permission. For software which is copyrighted by the Free
252 Software Foundation, write to the Free Software Foundation; we sometimes
253 make exceptions for this. Our decision will be guided by the two goals
254 of preserving the free status of all derivatives of our free software and
255 of promoting the sharing and reuse of software generally.
256
257 NO WARRANTY
258
259 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
260 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
261 OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
262 PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
263 OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
264 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
265 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
266 PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
267 REPAIR OR CORRECTION.
268
269 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
270 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
271 REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
272 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
273 OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
274 TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
275 YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
276 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
277 POSSIBILITY OF SUCH DAMAGES.
278
279 END OF TERMS AND CONDITIONS
280
281 How to Apply These Terms to Your New Programs
282
283 If you develop a new program, and you want it to be of the greatest
284 possible use to the public, the best way to achieve this is to make it
285 free software which everyone can redistribute and change under these terms.
286
287 To do so, attach the following notices to the program. It is safest
288 to attach them to the start of each source file to most effectively
289 convey the exclusion of warranty; and each file should have at least
290 the "copyright" line and a pointer to where the full notice is found.
291
292 <one line to give the program's name and a brief idea of what it does.>
293 Copyright (C) 19yy <name of author>
294
295 This program is free software; you can redistribute it and/or modify
296 it under the terms of the GNU General Public License as published by
297 the Free Software Foundation; either version 2 of the License, or
298 (at your option) any later version.
299
300 This program is distributed in the hope that it will be useful,
301 but WITHOUT ANY WARRANTY; without even the implied warranty of
302 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
303 GNU General Public License for more details.
304
305 You should have received a copy of the GNU General Public License
306 along with this program; if not, write to the Free Software
307 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
308
309
310 Also add information on how to contact you by electronic and paper mail.
311
312 If the program is interactive, make it output a short notice like this
313 when it starts in an interactive mode:
314
315 Gnomovision version 69, Copyright (C) 19yy name of author
316 Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 This is free software, and you are welcome to redistribute it
318 under certain conditions; type `show c' for details.
319
320 The hypothetical commands `show w' and `show c' should show the appropriate
321 parts of the General Public License. Of course, the commands you use may
322 be called something other than `show w' and `show c'; they could even be
323 mouse-clicks or menu items--whatever suits your program.
324
325 You should also get your employer (if you work as a programmer) or your
326 school, if any, to sign a "copyright disclaimer" for the program, if
327 necessary. Here is a sample; alter the names:
328
329 Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 `Gnomovision' (which makes passes at compilers) written by James Hacker.
331
332 <signature of Ty Coon>, 1 April 1989
333 Ty Coon, President of Vice
334
335 This General Public License does not permit incorporating your program into
336 proprietary programs. If your program is a subroutine library, you may
337 consider it more useful to permit linking proprietary applications with the
338 library. If this is what you want to do, use the GNU Library General
339 Public License instead of this License.
EAPMD5-Challenge-01.cap less more
Binary diff not shown
+18
-0
Makefile less more
0 CFLAGS = -pipe -Wall -O2 -ggdb -g3
1 LDLIBS = -lpcap -lcrypto
2 PROG = eapmd5pass
3 PROGOBJ = utils.o
4
5 all: $(PROGOBJ) $(PROG)
6
7 utils.o: utils.c utils.h
8 $(CC) $(CFLAGS) -c utils.c
9
10 eapmd5pass: eapmd5pass.c eapmd5pass.h utils.c utils.h
11 $(CC) $(CFLAGS) -o eapmd5pass $(PROGOBJ) eapmd5pass.c $(LDLIBS)
12
13 clean:
14 $(RM) $(PROG) $(PROGOBJ) *~
15
16 strip:
17 @strip $(PROG)
+89
-0
README less more
0 eapmd5pass - offline EAP-MD5 dictionary attack.
1
2 Copyright(c) 2007-2008, Joshua Wright <[email protected]>
3
4 $Id: README,v 1.2 2008/02/10 02:24:34 jwright Exp $
5
6 --------------------------------------------------------------------------------
7
8 EAP-MD5 is a legacy authentication mechanism that does not provide sufficient
9 protection for user authentication credentials. Users who authenticate using
10 EAP-MD5 subject themselves to an offline dictionary attack vulnerability.
11
12 This tool reads from a live network interface in monitor-mode, or from a
13 stored libpcap capture file, and extracts the portions of the EAP-MD5
14 authentication exchange. Once the challenge and response portions have been
15 collected from this exchange, eapmd5pass will mount an offline dictionary
16 attack against the user's password.
17
18
19 SAMPLE CAPTURES
20
21 The following sample EAP-MD5 packet captures have the corresponding
22 passwords:
23
24 File Password
25 ---- --------
26 eapmd5-sample.dump beaVIs
27 EAPMD5-Challenge-01.cap bradtest
28 brad.eaptest.cap bradtest
29 bra.eaptest2.cap bradtest
30
31
32 USE NOTES
33
34 Normal operation of this tool will be to specify a dictionary file of words
35 to use as potential passwords, one per line, along with a packet capture file
36 from wireless network of an EAP-MD5 exchange, as shown below:
37
38
39 $ ./eapmd5pass -w dict -r eapmd5-sample.dump
40 eapmd5pass - Dictionary attack against EAP-MD5
41 Collected all data necessary to attack password for "jwright", starting attack.
42 User password is "beaVIs".
43 3917111 passwords in 6.55 seconds: 598165.01 passwords/second.
44
45
46 However, there may be cases where mounting an EAP-MD5 attack is necessary
47 even when a packet capture is not available. If you have observed an EAP-MD5
48 exchange but do not have the data in a wireless packet capture that is
49 understood by this tool, you can manually specify the following parameters
50 as command-line arguments:
51
52 + username
53 + EAP challenge (16 bytes)
54 + EAP response (16 bytes)
55 + EAP Id of the EAP response frame (usually "2")
56 + Dictionary file
57
58 An example of using eapmd5pass in this manner is shown below:
59
60
61 $ ./eapmd5pass -w dict -U jwright -C d7:ec:2f:ff:2a:da:43:7f:9d:cd:4e:3b:0d:f4:4d:50 -R 1f:fc:6c:26:59:bc:5b:b9:41:44:fd:01:eb:75:6e:37 -E 2
62 eapmd5pass - Dictionary attack against EAP-MD5
63 User password is "beaVIs".
64 3917111 passwords in 7.05 seconds: 555990.03 passwords/second.
65
66
67 Note that this tool isn't particularly useful; with no native supplicant
68 support for EAP-MD5 in Microsoft Windows, and the lack of support for
69 encryption in an EAP-MD5 network, it is rare to see EAP-MD5 in use. However,
70 the Windows IAS server has support for EAP-MD5 enabled by default, so it is
71 conceivable that a user could setup their own workstation to use this
72 protocol, unaware of the risks associated with this EAP type. It should be
73 noted that the Funk Odyssey and Mac OS X supplicants both support EAP-MD5
74 authentication.
75
76 Why did I write this? I'm not sure. It's possible that I wrote this during a
77 chrono-synclastic infundibulum experience, where it may have meant more to me
78 at the time.
79
80
81 THANKS
82
83 Special thanks to Brad Antoniewicz for his patches and additional test
84 capture files.
85
86 COMMENTS/QUESTIONS/CONCERNS?
87
88 Please contact me at [email protected]. Thanks!
brad.eaptest.cap less more
Binary diff not shown
brad.eaptest2.cap less more
Binary diff not shown
+60
-0
byteswap.h less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 #ifndef BYTESWAP_H
14 #define BYTESWAP_H
15
16 #define __swab16(x) \
17 ({ \
18 uint16_t __x = (x); \
19 ((uint16_t)( \
20 (((uint16_t)(__x) & (uint16_t)0x00ffU) << 8) | \
21 (((uint16_t)(__x) & (uint16_t)0xff00U) >> 8) )); \
22 })
23
24 #define __swab32(x) \
25 ({ \
26 uint32_t __x = (x); \
27 ((uint32_t)( \
28 (((uint32_t)(__x) & (uint32_t)0x000000ffUL) << 24) | \
29 (((uint32_t)(__x) & (uint32_t)0x0000ff00UL) << 8) | \
30 (((uint32_t)(__x) & (uint32_t)0x00ff0000UL) >> 8) | \
31 (((uint32_t)(__x) & (uint32_t)0xff000000UL) >> 24) )); \
32 })
33
34 #define __swab64(x) \
35 ({ \
36 uint64_t __x = (x); \
37 ((uint64_t)( \
38 (uint64_t)(((uint64_t)(__x) & (uint64_t)0x00000000000000ffULL) << 56) | \
39 (uint64_t)(((uint64_t)(__x) & (uint64_t)0x000000000000ff00ULL) << 40) | \
40 (uint64_t)(((uint64_t)(__x) & (uint64_t)0x0000000000ff0000ULL) << 24) | \
41 (uint64_t)(((uint64_t)(__x) & (uint64_t)0x00000000ff000000ULL) << 8) | \
42 (uint64_t)(((uint64_t)(__x) & (uint64_t)0x000000ff00000000ULL) >> 8) | \
43 (uint64_t)(((uint64_t)(__x) & (uint64_t)0x0000ff0000000000ULL) >> 24) | \
44 (uint64_t)(((uint64_t)(__x) & (uint64_t)0x00ff000000000000ULL) >> 40) | \
45 (uint64_t)(((uint64_t)(__x) & (uint64_t)0xff00000000000000ULL) >> 56) )); \
46 })
47
48 #ifdef WORDS_BIGENDIAN
49 #warning "Compiling for big-endian"
50 #define le16_to_cpu(x) __swab16(x)
51 #define le32_to_cpu(x) __swab32(x)
52 #define le64_to_cpu(x) __swab64(x)
53 #else
54 #define le16_to_cpu(x) (x)
55 #define le32_to_cpu(x) (x)
56 #define le64_to_cpu(x) (x)
57 #endif
58
59 #endif /* BYTESWAP_H */
eapmd5-sample.dump less more
Binary diff not shown
+778
-0
eapmd5pass.c less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 #include <stdio.h>
14 #include <stdlib.h>
15 #include <string.h>
16 #include <unistd.h>
17 #include <netinet/in.h>
18 #include <signal.h>
19
20 #include <openssl/md5.h>
21 #include <pcap.h>
22
23 #include "radiotap.h"
24 #include "utils.h"
25 #include "byteswap.h"
26 #include "eapmd5pass.h"
27 #include "ieee80211.h"
28 #include "ieee8021x.h"
29 #include "ietfproto.h"
30
31 /* pcap descriptor */
32 pcap_t *p = NULL;
33 struct pcap_pkthdr *h;
34 uint8_t *dot11packetbuf;
35 int __verbosity=0;
36 int offset=0; /* Offset of pcap data to beginning of frame */
37 long pcount=0; /* Total number of packets observed */
38 struct eapmd5pass_data em;
39
40 void cleanexit()
41 {
42 if (p != NULL) {
43 pcap_close(p);
44 }
45
46 if (em.recovered_pass > 0) {
47 exit(0);
48 } else {
49 exit(1);
50 }
51 }
52
53 void usage()
54 {
55 printf("\nUsage: eapmd5pass [ -i <int> | -r <pcapfile> ] [ -w wordfile ] [options]\n");
56 printf("\n");
57 printf(" -i <iface>\tinterface name\n");
58 printf(" -r <pcapfile>\tread from a named libpcap file\n");
59 printf(" -w <wordfile>\tuse wordfile for possible passwords.\n");
60 printf(" -b <bssid>\tBSSID of target network (default: all)\n");
61 printf(" -U <username>\tUsername of EAP-MD5 user.\n");
62 printf(" -C <chal>\tEAP-MD5 challenge value.\n");
63 printf(" -R <response>\tEAP-MD5 response value.\n");
64 printf(" -E <eapid>\tEAP-MD5 response EAP ID value.\n");
65 printf(" -v\t\tincrease verbosity level (max 3)\n");
66 printf(" -V\t\tversion information\n");
67 printf(" -h\t\tusage information\n");
68
69 printf("\nThe \"-r\" and \"[-U|-C|-R|-E]\" options are not meant to be "
70 "used together. Use -r\nwhen a packet capture is "
71 "available. Specify the username, challenge and\n"
72 "response when available through other means.\n");
73 }
74
75 /* Determine radiotap data length (including header) and return offset for the
76 beginning of the 802.11 header */
77 int radiotap_offset(pcap_t *p, struct pcap_pkthdr *h)
78 {
79
80 struct ieee80211_radiotap_header *rtaphdr;
81 int rtaphdrlen=0;
82
83 /* Grab a packet to examine radiotap header */
84 if (pcap_next_ex(p, &h, (const u_char **)&dot11packetbuf) > -1) {
85
86 rtaphdr = (struct ieee80211_radiotap_header *)dot11packetbuf;
87 rtaphdrlen = le16_to_cpu(rtaphdr->it_len); /* rtap is LE */
88
89 /* Sanity check on header length */
90 if (rtaphdrlen > (h->len - DOT11HDR_MINLEN)) {
91 return -2; /* Bad radiotap data */
92 }
93
94 return rtaphdrlen;
95 }
96
97 return -1;
98 }
99
100 void assess_packet(char *user, struct pcap_pkthdr *h, u_int8_t *pkt)
101 {
102
103 struct dot11hdr *dot11;
104 struct ieee8021x *dot1xhdr;
105 struct ieee8022 *dot2hdr;
106 struct eap_hdr *eaphdr;
107 uint8_t *srcaddrptr, *dstaddrptr, *bssidaddrptr;
108 uint8_t *dot11buf;
109 int plen, poffset;
110 struct eapmd5pass_data *em;
111 extern long pcount;
112
113 em = (struct eapmd5pass_data *)user;
114
115 dot11buf = (pkt + offset);
116
117 pcount++; /* Global packet counter */
118 if (__verbosity > 2) {
119 printf("Checking Frame: %ld....\n",pcount);
120 }
121
122 poffset = offset;
123 plen = h->len - offset;
124 if (plen > DOT11HDR_A3_LEN) {
125 dot11 = (struct dot11hdr *)(pkt+offset);
126 } else {
127 if (__verbosity > 1) {
128 printf("\tDiscarding too-small frame (%d).\n", plen);
129 }
130 return;
131 }
132
133 if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 1) {
134 /* Ignore WDS frames */
135 if (__verbosity > 2) {
136 printf("\tDiscarding WDS frame.\n");
137 }
138 return;
139 } else if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 0) {
140 /* From the DS */
141 srcaddrptr = dot11->addr3;
142 dstaddrptr = dot11->addr1;
143 bssidaddrptr = dot11->addr2;
144 } else if (dot11->u1.fc.from_ds == 0 && dot11->u1.fc.to_ds == 1) {
145 /* To the DS, interesting to us */
146 srcaddrptr = dot11->addr2;
147 dstaddrptr = dot11->addr3;
148 bssidaddrptr = dot11->addr1;
149 } else { /* fromds = 0, tods = 0 */
150 /* Ad-hoc, can this be used with PEAP? */
151 srcaddrptr = dot11->addr2;
152 dstaddrptr = dot11->addr1;
153 bssidaddrptr = dot11->addr3;
154 }
155
156 if (dot11->u1.fc.type != DOT11_FC_TYPE_DATA) {
157 if (__verbosity > 2) {
158 printf("\tDiscarding frame, not type data.\n");
159 }
160 return;
161 }
162
163 /* Discard traffic for other BSSID's if one was specified; otherwise,
164 all networks are fair game. */
165 if (em->bssidset) {
166 if (memcmp(em->bssid, bssidaddrptr, IEEE802_MACLEN) != 0) {
167 return;
168 }
169 }
170
171 poffset += DOT11HDR_A3_LEN;
172 plen -= DOT11HDR_A3_LEN;
173
174 if (dot11->u1.fc.subtype == DOT11_FC_SUBTYPE_QOSDATA) {
175 /* Move another 2 bytes past QoS header */
176 poffset += DOT11HDR_QOS_LEN;
177 plen -= DOT11HDR_QOS_LEN;
178 } else if (dot11->u1.fc.subtype != DOT11_FC_SUBTYPE_DATA) {
179 if (__verbosity > 2) {
180 printf("\tDiscarding frame, not-applicable subtype: "
181 "%02x.\n", dot11->u1.fc.subtype);
182 }
183 return;
184 }
185
186 if (plen <= 0) {
187 if (__verbosity > 2) {
188 printf("\tDiscarding frame with no payload.\n");
189 }
190 return;
191 }
192
193
194 /* IEEE 802.2 header */
195 dot2hdr = (struct ieee8022 *)(pkt+poffset);
196 poffset += DOT2HDR_LEN;
197 plen -= DOT2HDR_LEN;
198
199 if (plen <= 0) {
200 if (__verbosity > 2) {
201 printf("\tDiscarding frame with partial 802.2 header.\n");
202 }
203 return;
204 }
205
206 /* Check 802.2 header for embedded IEEE 802.1x authentication */
207 if (dot2hdr->dsap != IEEE8022_SNAP || dot2hdr->ssap != IEEE8022_SNAP) {
208 if (__verbosity > 2) {
209 printf("\tDiscarding frame, invalid 802.2 header.\n");
210 }
211 return;
212 }
213 if (ntohs(dot2hdr->type) != IEEE8022_TYPE_DOT1X) {
214 if (__verbosity > 2) {
215 printf("\tDicarding frame, embedded protocol is not "
216 "IEEE 802.1x (%04x).\n", dot2hdr->type);
217 }
218 return;
219 }
220
221
222 /* IEEE 802.1x header */
223 dot1xhdr = (struct ieee8021x *)(pkt + poffset);
224 plen -= DOT1XHDR_LEN;
225 poffset += DOT1XHDR_LEN;
226
227 if (plen <= 0) {
228 if (__verbosity > 2) {
229 printf("\tDiscarding frame, too short for 802.1x (%d).\n",
230 h->len - offset);
231 }
232 return;
233 }
234
235 if (dot1xhdr->version != DOT1X_VERSION1 &&
236 dot1xhdr->version != DOT1X_VERSION2) {
237 if (__verbosity > 2) {
238 printf("\tDiscarding frame, not an 802.1x packet.\n");
239 }
240 return;
241 }
242
243 if (dot1xhdr->type != DOT1X_TYPE_EAP) {
244 if (__verbosity > 2) {
245 printf("\tDiscarding frame, not an EAP packet.\n");
246 }
247 return;
248 }
249
250 /* EAP header contents */
251 eaphdr = (struct eap_hdr *)(pkt + poffset);
252
253 if ((plen - EAPHDR_MIN_LEN) < 0) {
254 if (__verbosity > 2) {
255 printf("\tDiscarding frame, too short for EAP (%d).\n",
256 h->len - offset);
257 }
258 return;
259 }
260
261 if (eaphdr->type != EAP_TYPE_ID && eaphdr->type != EAP_TYPE_MD5 &&
262 eaphdr->type != EAP_TYPE_EAP) {
263 if (__verbosity > 2) {
264 printf("\tDiscarding frame, not EAP Identification or "
265 "EAP-MD5.\n");
266 }
267 return;
268 }
269
270 /* Try to extract username */
271 if (dot11->u1.fc.from_ds == 0 && dot11->u1.fc.to_ds == 1 &&
272 eaphdr->type == EAP_TYPE_ID) {
273 if (extract_eapusername((pkt+poffset), plen, em) == 0) {
274 if (__verbosity > 2) {
275 printf("\tFound Username!\n");
276 }
277 em->namefound=1;
278 return;
279 }
280 }
281
282 /* Try to extract the challenge */
283 if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 0 &&
284 eaphdr->type == EAP_TYPE_MD5 &&
285 em->namefound == 1 &&
286 em->chalfound == 0) {
287 if (extract_eapchallenge((pkt+poffset), plen, em) == 0) {
288 if (__verbosity > 2) {
289 printf("\tFound Challenge!\n");
290 }
291
292 em->chalfound = 1;
293 return;
294 }
295 }
296
297 /* Try to extract the response */
298 if (dot11->u1.fc.from_ds == 0 && dot11->u1.fc.to_ds == 1 &&
299 eaphdr->type == EAP_TYPE_MD5 &&
300 em->namefound == 1 &&
301 em->chalfound == 1 &&
302 em->respfound == 0) {
303 if (extract_eapresponse((pkt+poffset), plen, em) == 0) {
304 if (__verbosity > 2) {
305 printf("\tFound Response!\n");
306 }
307
308 em->respfound = 1;
309 return;
310 }
311 }
312
313 /* Try to extract the success message */
314 if (dot11->u1.fc.from_ds == 1 && dot11->u1.fc.to_ds == 0 &&
315 em->namefound == 1 &&
316 em->chalfound == 1 &&
317 em->respfound == 1) {
318 if (__verbosity > 2) {
319 printf("\tFound Possible EAP Success!\n");
320 }
321
322 if (extract_eapsuccess((pkt+poffset), plen, em) == 0) {
323 em->succfound = 1;
324 printf("Collected all data necessary to attack "
325 "password for \"%s\", starting attack."
326 "\n", em->username);
327 eapmd5_attack(em);
328 eapmd5_nexttarget(em);
329 return;
330 } else {
331 if (__verbosity >2) {
332 printf("\tCould not confirm EAP Success\n");
333 }
334 }
335 }
336
337 return;
338 }
339
340 void eapmd5_attack(struct eapmd5pass_data *em)
341 {
342
343 FILE *fp;
344 int passlen;
345 unsigned long wordcount=0;
346 uint8_t digest[16];
347 char buf[256];
348 struct timeval start, finish;
349 int success=0;
350 float elapsed=0;
351
352 buf[0] = em->respeapid;
353
354 if (*em->wordfile == '-') {
355 fp = stdin;
356 } else {
357 fp = fopen(em->wordfile, "r");
358 }
359
360 if (fp == NULL) {
361 perror("fopen");
362 pcap_close(p);
363 exit(-1);
364 }
365
366 gettimeofday(&start, 0);
367
368 while(feof(fp) == 0) {
369 if (fgets((buf+1), sizeof(buf)-1, fp) == NULL) {
370 fclose(fp);
371 break;
372 }
373
374 wordcount++;
375 passlen = strlen(buf)-1;
376 memcpy((buf+passlen), em->challenge, 16);
377
378 MD5((uint8_t *)buf, passlen+16, digest);
379
380 if (memcmp(digest, em->response, 16) == 0) {
381 success=1;
382 fclose(fp);
383 break;
384 }
385
386 }
387
388 gettimeofday(&finish, 0);
389
390 if (success == 1) {
391 em->recovered_pass++;
392 buf[passlen] = 0;
393 printf("User password is \"%s\".\n", buf+1);
394 } else {
395 printf("Unable to idenitfy user password, not in the dictionary"
396 " file.\n");
397 }
398
399 if (finish.tv_usec < start.tv_usec) {
400 finish.tv_sec -= 1;
401 finish.tv_usec += 1000000;
402 }
403 finish.tv_sec -= start.tv_sec;
404 finish.tv_usec -= start.tv_usec;
405 elapsed = finish.tv_sec + finish.tv_usec / 1000000.0;
406
407 printf("%lu passwords in %.2f seconds: %.2f passwords/second.\n",
408 wordcount, elapsed, wordcount/elapsed);
409 return;
410 }
411
412 void eapmd5_nexttarget(struct eapmd5pass_data *em)
413 {
414 /* Reset tracking values for the next attack */
415 em->namefound = 0;
416 em->chalfound = 0;
417 em->respfound = 0;
418 em->succfound = 0;
419 return;
420 }
421
422 int extract_eapusername(uint8_t *eap, int len, struct eapmd5pass_data *em)
423 {
424 struct eap_hdr *eaphdr;
425 int usernamelen;
426 int eaplen;
427
428 eaphdr = (struct eap_hdr *)eap;
429
430 if (eaphdr->code != EAP_RESPONSE) {
431 return 1;
432 }
433
434 if (eaphdr->type != EAP_TYPE_ID) {
435 return 1;
436 }
437
438 eaplen = ntohs(eaphdr->length);
439 if (eaplen > len) {
440 return 1;
441 }
442
443 /* 5 bytes for EAP header information without identity information */
444 usernamelen = (eaplen - 5);
445
446 usernamelen = (eaplen > sizeof(em->username))
447 ? sizeof(em->username) : usernamelen;
448 memcpy(em->username, (eap+5), usernamelen);
449 em->username[usernamelen] = 0;
450
451 return 0;
452 }
453
454 int extract_eapchallenge(uint8_t *eap, int len, struct eapmd5pass_data *em)
455 {
456 struct eap_hdr *eaphdr;
457 int eaplen;
458 int offset;
459
460 eaphdr = (struct eap_hdr *)eap;
461
462 if (eaphdr->code != EAP_REQUEST) {
463 return 1;
464 }
465
466 if (eaphdr->type != EAP_TYPE_MD5) {
467 return 1;
468 }
469
470 eaplen = ntohs(eaphdr->length);
471 if (eaplen > len) {
472 return 1;
473 }
474
475 /* 5th byte offset is the value-size parameter */
476 if ((eap[5]) != 16) {
477 return 1;
478 }
479
480 len -= 6;
481 offset = 6;
482
483 if (len <= 0) {
484 return 1;
485 }
486
487 memcpy(em->challenge, (eap+offset), 16);
488 return 0;
489 }
490
491
492 int extract_eapresponse(uint8_t *eap, int len, struct eapmd5pass_data *em)
493 {
494 struct eap_hdr *eaphdr;
495 int eaplen;
496 int offset;
497
498 eaphdr = (struct eap_hdr *)eap;
499
500 if (eaphdr->code != EAP_RESPONSE) {
501 return 1;
502 }
503
504 if (eaphdr->type != EAP_TYPE_MD5) {
505 return 1;
506 }
507
508 eaplen = ntohs(eaphdr->length);
509 if (eaplen > len) {
510 return 1;
511 }
512
513 /* 5th byte offset is the value-size parameter */
514 if ((eap[5]) != 16) {
515 return 1;
516 }
517
518 len -= 6;
519 offset = 6;
520
521 if (len <= 0) {
522 return 1;
523 }
524
525 memcpy(em->response, (eap+offset), 16);
526 em->respeapid = eaphdr->identifier;
527 return 0;
528 }
529
530 int extract_eapsuccess(uint8_t *eap, int len, struct eapmd5pass_data *em)
531 {
532 struct eap_hdr *eaphdr;
533
534 eaphdr = (struct eap_hdr *)eap;
535
536 if (eaphdr->code == EAP_FAILURE) {
537 /* Reset tracking values for next exchange */
538 eapmd5_nexttarget(em);
539 }
540
541 if (eaphdr->code == EAP_SUCCESS) {
542 return 0;
543 }
544
545 return 1;
546 }
547
548 /* Called by signal SIGALRM */
549 void break_pcaploop()
550 {
551 if (__verbosity > 2) {
552 printf("Calling pcap_breakloop.\n");
553 }
554 pcap_breakloop(p);
555 }
556
557
558
559 int main(int argc, char *argv[])
560 {
561
562 char errbuf[PCAP_ERRBUF_SIZE], iface[17], pcapfile[1024];
563 int opt=0, datalink=0, ret=0;
564 extern struct eapmd5pass_data em;
565
566 memset(&em, 0, sizeof(em));
567 memset(pcapfile, 0, sizeof(pcapfile));
568
569 printf("eapmd5pass - Dictionary attack against EAP-MD5\n");
570 while ((opt = getopt(argc, argv, "w:r:i:b:U:C:R:E:vVh?")) != -1) {
571 switch(opt) {
572
573 case 'i':
574 /* Interface name */
575 strncpy(iface, optarg, sizeof(iface)-1);
576 break;
577 case 'w':
578 /* word file */
579 strncpy(em.wordfile, optarg, sizeof(em.wordfile)-1);
580 break;
581 case 'r':
582 /* Read from pcap file */
583 strncpy(pcapfile, optarg, sizeof(pcapfile)-1);
584 break;
585 case 'b':
586 /* BSSID of target network */
587 if (str2mac(optarg, em.bssid) != 0) {
588 fprintf(stderr, "Error parsing BSSID MAC "
589 "address.\n");
590 usage();
591 return -1;
592 }
593 em.bssidset = 1;
594 break;
595 case 'C':
596 if (strlen(optarg) != 47) {
597 usage("Incorrect challenge input length "
598 "specified.\n");
599 exit(1);
600 }
601 if (str2hex(optarg, em.challenge,
602 sizeof(em.challenge)) < 0) {
603 usage("Malformed value specified as "
604 "challenge.\n");
605 exit(1);
606 }
607 em.chalfound=1;
608 break;
609 case 'R':
610 if (strlen(optarg) != 47) {
611 usage("Incorrect response input length "
612 "specified.\n");
613 exit(1);
614 }
615 if (str2hex(optarg, em.response,
616 sizeof(em.response)) < 0) {
617 usage("Malformed value specified as "
618 "response.\n");
619 exit(1);
620 }
621 em.respfound=1;
622 break;
623 case 'U':
624 strncpy(em.username, optarg, sizeof(em.username)-1);
625 em.namefound=1;
626 break;
627 case 'E':
628 em.respeapid=atoi(optarg);
629 em.eapid=1;
630 break;
631 case 'v':
632 __verbosity++;
633 break;
634 case 'V':
635 printf("eapmd5pass - 1.0\n$Id: eapmd5pass.c,v 1.4 2008/02/10 02:24:34 jwright Exp $\n");
636 return(0);
637 break;
638 default:
639 usage();
640 return(-1);
641 break;
642 }
643 }
644
645 /* Register signal handlers */
646 signal(SIGINT, cleanexit);
647 signal(SIGTERM, cleanexit);
648 signal(SIGQUIT, cleanexit);
649
650
651 /* Test for minimum number of arguments */
652 if (argc < 3) {
653 usage();
654 return -1;
655 }
656
657 if (strlen(em.wordfile) < 1) {
658 fprintf(stderr, "Must specify a dictionary file with -w.\n");
659 usage();
660 return -1;
661 }
662
663 if (em.namefound && em.chalfound && em.respfound && em.eapid) {
664 /* User specified input parameters manually, assume success
665 * and start cracking.
666 */
667 em.succfound=1;
668 eapmd5_attack(&em);
669 return 0;
670 }
671
672 if (strlen(pcapfile) > 0) {
673 /* User has specified a libpcap file for reading */
674 p = pcap_open_offline(pcapfile, errbuf);
675 } else {
676 p = pcap_open_live(iface, SNAPLEN, PROMISC, TIMEOUT, errbuf);
677 }
678
679 if (p == NULL) {
680 fprintf(stderr, "Unable to open pcap device\n");
681 perror("pcap_open");
682 return -1;
683 }
684
685 /* Set non-blocking */
686 if (pcap_setnonblock(p, PCAP_DONOTBLOCK, errbuf) != 0) {
687 fprintf(stderr, "Error placing pcap interface in non-blocking "
688 "mode.\n");
689 perror("pcap_setnonblock");
690 pcap_close(p);
691 return -1;
692 }
693
694 /* Examine header length to determine offset of the 802.11 header */
695 datalink = pcap_datalink(p);
696 switch(datalink) {
697
698 case DLT_IEEE802_11_RADIO: /* Variable length header */
699 offset = radiotap_offset(p, h);
700 if (offset < sizeof(struct ieee80211_radiotap_header)) {
701 fprintf(stderr, "Unable to determine offset from "
702 "radiotap header (%d).\n", offset);
703 usage();
704 return(-1);
705 }
706 break;
707
708 case DLT_IEEE802_11:
709 offset = DOT11_OFFSET_DOT11;
710 break;
711
712 case DLT_TZSP:
713 offset = DOT11_OFFSET_TZSP;
714 break;
715
716 case DLT_PRISM_HEADER:
717 offset = DOT11_OFFSET_PRISMAVS;
718 break;
719
720 default:
721 fprintf(stderr, "Unrecognized datalink type %d.\n", datalink);
722 usage();
723 return(-1);
724 }
725
726 /* Loop for each packet received */
727 signal(SIGALRM, break_pcaploop);
728
729 /* We need a different routine for handling read from pcapfile vs. live
730 interface, because pcap_dispatch returns 0 for EOF on pcapfile, or
731 no packets retrieved due to blocking on a live interface */
732 if (strlen(pcapfile) > 0) {
733 ret = pcap_dispatch(p, PCAP_LOOP_CNT,
734 (pcap_handler)assess_packet, (u_char *)&em);
735 if (ret != 0) {
736 /* Error reading from packet capture file */
737 fprintf(stderr, "pcap_dispatch: %s\n", pcap_geterr(p));
738 return -1;
739 }
740
741 } else { /* live packet capture */
742
743 while(1) {
744 ret = pcap_dispatch(p, PCAP_LOOP_CNT,
745 (pcap_handler)assess_packet,
746 (u_char *)&em);
747 if (ret == 0) {
748 /* No packets read, sleep and continue */
749 usleep(250000);
750 continue;
751 } else if (ret == -1) {
752 fprintf(stderr, "pcap_loop: %s",
753 pcap_geterr(p));
754 break;
755 } else if (ret == -2) {
756 /* returned -2, pcap_breakloop called */
757 break;
758 } else {
759 /* Packet retrieved successfully, continue */
760 continue;
761 }
762 }
763 }
764
765 if (__verbosity) {
766 printf("Total packets observed: %ld\n", pcount);
767 }
768
769 pcap_close(p);
770
771 if (em.recovered_pass > 0) {
772 return 0;
773 } else {
774 return 1;
775 }
776
777 }
+67
-0
eapmd5pass.h less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 #ifndef EAPMD5PASS_H
14 #define EAPMD5PASS_H
15
16 #define DOT11_OFFSET_DOT11 0
17 #define DOT11_OFFSET_TZSP 29
18 #define DOT11_OFFSET_PRISMAVS 144
19
20 #define PCAP_DONOTBLOCK 1
21
22 #define IEEE802_MACLEN 6
23
24 #define PCAP_LOOP_CNT -1
25
26 #define SNAPLEN 2312
27 #define PROMISC 1
28 #define TIMEOUT 500
29
30 struct eapmd5pass_data {
31 uint8_t bssid[6];
32 char wordfile[1024];
33 unsigned int mcastid;
34 uint8_t bssidset;
35 int recovered_pass;
36
37 /* Parser tracking values */
38 uint8_t namefound;
39 uint8_t chalfound;
40 uint8_t respfound;
41 uint8_t succfound;
42 uint8_t eapid;
43
44 /* Extracted from EAP-MD5 exchange */
45 char username[64];
46 uint8_t challenge[16];
47 uint8_t response[16];
48 uint8_t respeapid;
49
50 };
51
52
53 void cleanexit();
54 void usage();
55 int radiotap_offset(pcap_t *p, struct pcap_pkthdr *h);
56 void assess_packet(char *user, struct pcap_pkthdr *h, u_int8_t *pkt);
57 void eapmd5_nexttarget(struct eapmd5pass_data *em);
58 int extract_eapusername(uint8_t *eap, int eaplen, struct eapmd5pass_data *em);
59 int extract_eapchallenge(uint8_t *eap, int eaplen, struct eapmd5pass_data *em);
60 int extract_eapresponse(uint8_t *eap, int eaplen, struct eapmd5pass_data *em);
61 int extract_eapsuccess(uint8_t *eap, int eaplen, struct eapmd5pass_data *em);
62 void break_pcaploop();
63 int main(int argc, char *argv[]);
64 void eapmd5_attack(struct eapmd5pass_data *em);
65
66 #endif
+122
-0
ieee80211.h less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 #ifndef IEEE80211_H
14 #define IEEE80211_H
15
16 #define DOT11HDR_A1_LEN 10
17 #define DOT11HDR_A3_LEN 24
18 #define DOT11HDR_A4_LEN 30
19 #define DOT11HDR_MAC_LEN 6
20 #define DOT11HDR_MINLEN DOT11HDR_A1_LEN
21
22 #define DOT11_FC_TYPE_MGMT 0
23 #define DOT11_FC_TYPE_CTRL 1
24 #define DOT11_FC_TYPE_DATA 2
25
26 #define DOT11_FC_SUBTYPE_ASSOCREQ 0
27 #define DOT11_FC_SUBTYPE_ASSOCRESP 1
28 #define DOT11_FC_SUBTYPE_REASSOCREQ 2
29 #define DOT11_FC_SUBTYPE_REASSOCRESP 3
30 #define DOT11_FC_SUBTYPE_PROBEREQ 4
31 #define DOT11_FC_SUBTYPE_PROBERESP 5
32 #define DOT11_FC_SUBTYPE_BEACON 8
33 #define DOT11_FC_SUBTYPE_ATIM 9
34 #define DOT11_FC_SUBTYPE_DISASSOC 10
35 #define DOT11_FC_SUBTYPE_AUTH 11
36 #define DOT11_FC_SUBTYPE_DEAUTH 12
37
38 #define DOT11_FC_SUBTYPE_PSPOLL 10
39 #define DOT11_FC_SUBTYPE_RTS 11
40 #define DOT11_FC_SUBTYPE_CTS 12
41 #define DOT11_FC_SUBTYPE_ACK 13
42 #define DOT11_FC_SUBTYPE_CFEND 14
43 #define DOT11_FC_SUBTYPE_CFENDACK 15
44
45 #define DOT11_FC_SUBTYPE_DATA 0
46 #define DOT11_FC_SUBTYPE_DATACFACK 1
47 #define DOT11_FC_SUBTYPE_DATACFPOLL 2
48 #define DOT11_FC_SUBTYPE_DATACFACKPOLL 3
49 #define DOT11_FC_SUBTYPE_DATANULL 4
50 #define DOT11_FC_SUBTYPE_CFACK 5
51 #define DOT11_FC_SUBTYPE_CFACKPOLL 6
52 #define DOT11_FC_SUBTYPE_CFACKPOLLNODATA 7
53 #define DOT11_FC_SUBTYPE_QOSDATA 8
54 /* 9 - 11 reserved as of 11/7/2005 - JWRIGHT */
55 #define DOT11_FC_SUBTYPE_QOSNULL 12
56
57 struct dot11hdr {
58 union {
59 struct {
60 uint8_t version:2;
61 uint8_t type:2;
62 uint8_t subtype:4;
63 uint8_t to_ds:1;
64 uint8_t from_ds:1;
65 uint8_t more_frag:1;
66 uint8_t retry:1;
67 uint8_t pwrmgmt:1;
68 uint8_t more_data:1;
69 uint8_t protected:1;
70 uint8_t order:1;
71 } __attribute__ ((packed)) fc;
72
73 uint16_t fchdr;
74 } u1;
75
76 uint16_t duration;
77 uint8_t addr1[6];
78 uint8_t addr2[6];
79 uint8_t addr3[6];
80
81 union {
82 struct {
83 uint16_t fragment:4;
84 uint16_t sequence:12;
85 } __attribute__ ((packed)) seq;
86
87 uint16_t seqhdr;
88 } u2;
89
90 } __attribute__ ((packed));
91
92 #define dot11hdra3 dot11hdr
93 #define ieee80211 dot11hdr
94
95 struct ieee80211_qos {
96 uint8_t priority:3;
97 uint8_t reserved3:1;
98 uint8_t eosp:1;
99 uint8_t ackpol:2;
100 uint8_t reserved1:1;
101 uint8_t reserved2;
102 } __attribute__ ((packed));
103 #define DOT11HDR_QOS_LEN 2
104
105
106 struct ieee8022 {
107 uint8_t dsap;
108 uint8_t ssap;
109 uint8_t control;
110 uint8_t oui[3];
111 uint16_t type;
112 } __attribute__ ((packed));
113 #define DOT2HDR_LEN sizeof(struct ieee8022)
114
115 #define IEEE8022_SNAP 0xaa
116 #define IEEE8022_TYPE_IP 0x0800
117 #define IEEE8022_TYPE_DOT1X 0x888e
118 #define IEEE8022_TYPE_ARP 0x0806
119
120
121 #endif
+29
-0
ieee8021x.h less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 #ifndef IEEE8021X_H
14 #define IEEE8021X_H
15
16 /* The 802.1X header indicates a version, type and length */
17 struct ieee8021x {
18 uint8_t version;
19 uint8_t type;
20 uint16_t len;
21 } __attribute__ ((packed));
22 #define DOT1XHDR_LEN sizeof(struct ieee8021x)
23
24 #define DOT1X_VERSION1 1
25 #define DOT1X_VERSION2 2
26 #define DOT1X_TYPE_EAP 0
27
28 #endif
+40
-0
ietfproto.h less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 #ifndef IETFPROTO_H
14 #define IETFPROTO_H
15
16 /* EAP message constants */
17 #define EAP_REQUEST 1
18 #define EAP_RESPONSE 2
19 #define EAP_SUCCESS 3
20 #define EAP_FAILURE 4
21
22 /* EAP types, more at http://www.iana.org/assignments/eap-numbers */
23 #define EAP_TYPE_EAP 0
24 #define EAP_TYPE_ID 1
25 #define EAP_TYPE_MD5 4
26
27 struct eap_hdr {
28 uint8_t code; /* 1=request, 2=response, 3=success, 4=failure? */
29 uint8_t identifier;
30 uint16_t length; /* Length of the entire EAP message */
31
32 /* The following fields may not be present in all EAP frames */
33 uint8_t type;
34 uint8_t flags;
35 uint32_t totallen;
36 } __attribute__ ((packed));
37 #define EAPHDR_MIN_LEN 4
38
39 #endif
+210
-0
radiotap.h less more
0 /* $FreeBSD: src/sys/net80211/ieee80211_radiotap.h,v 1.5 2005/01/22 20:12:05 sam Exp $ */
1 /* $NetBSD: ieee80211_radiotap.h,v 1.11 2005/06/22 06:16:02 dyoung Exp $ */
2
3 /*-
4 * Copyright (c) 2003, 2004 David Young. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of David Young may not be used to endorse or promote
15 * products derived from this software without specific prior
16 * written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY
19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
21 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID
22 * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
24 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
26 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
29 * OF SUCH DAMAGE.
30 */
31
32 #ifndef RADIOTAP_H
33 #define RADIOTAP_H
34
35 /* Kluge the radiotap linktype for now if we don't have it */
36 #ifndef LNX_ARPHRD_IEEE80211_RADIOTAP
37 #define LNX_ARPHRD_IEEE80211_RADIOTAP 803
38 #endif
39
40 /* Radiotap header version (from official NetBSD feed) */
41 #define IEEE80211RADIOTAP_VERSION "1.5"
42 /* Base version of the radiotap packet header data */
43 #define PKTHDR_RADIOTAP_VERSION 0
44
45 /* The radio capture header precedes the 802.11 header. */
46 struct ieee80211_radiotap_header {
47 u_int8_t it_version; /* Version 0. Only increases
48 * for drastic changes,
49 * introduction of compatible
50 * new fields does not count.
51 */
52 u_int8_t it_pad;
53 u_int16_t it_len; /* length of the whole
54 * header in bytes, including
55 * int_version, it_pad,
56 * it_len, and data fields.
57 */
58 u_int32_t it_present; /* A bitmap telling which
59 * fields are present. Set bit 31
60 * (0x80000000) to extend the
61 * bitmap by another 32 bits.
62 * Additional extensions are made
63 * by setting bit 31.
64 */
65 };
66
67 /* Name Data type Units
68 * ---- --------- -----
69 *
70 * IEEE80211_RADIOTAP_TSFT u_int64_t microseconds
71 *
72 * Value in microseconds of the MAC's 64-bit 802.11 Time
73 * Synchronization Function timer when the first bit of the
74 * MPDU arrived at the MAC. For received frames, only.
75 *
76 * IEEE80211_RADIOTAP_CHANNEL 2 x u_int16_t MHz, bitmap
77 *
78 * Tx/Rx frequency in MHz, followed by flags (see below).
79 *
80 * IEEE80211_RADIOTAP_FHSS u_int16_t see below
81 *
82 * For frequency-hopping radios, the hop set (first byte)
83 * and pattern (second byte).
84 *
85 * IEEE80211_RADIOTAP_RATE u_int8_t 500kb/s
86 *
87 * Tx/Rx data rate
88 *
89 * IEEE80211_RADIOTAP_DBM_ANTSIGNAL int8_t decibels from
90 * one milliwatt (dBm)
91 *
92 * RF signal power at the antenna, decibel difference from
93 * one milliwatt.
94 *
95 * IEEE80211_RADIOTAP_DBM_ANTNOISE int8_t decibels from
96 * one milliwatt (dBm)
97 *
98 * RF noise power at the antenna, decibel difference from one
99 * milliwatt.
100 *
101 * IEEE80211_RADIOTAP_DB_ANTSIGNAL u_int8_t decibel (dB)
102 *
103 * RF signal power at the antenna, decibel difference from an
104 * arbitrary, fixed reference.
105 *
106 * IEEE80211_RADIOTAP_DB_ANTNOISE u_int8_t decibel (dB)
107 *
108 * RF noise power at the antenna, decibel difference from an
109 * arbitrary, fixed reference point.
110 *
111 * IEEE80211_RADIOTAP_LOCK_QUALITY u_int16_t unitless
112 *
113 * Quality of Barker code lock. Unitless. Monotonically
114 * nondecreasing with "better" lock strength. Called "Signal
115 * Quality" in datasheets. (Is there a standard way to measure
116 * this?)
117 *
118 * IEEE80211_RADIOTAP_TX_ATTENUATION u_int16_t unitless
119 *
120 * Transmit power expressed as unitless distance from max
121 * power set at factory calibration. 0 is max power.
122 * Monotonically nondecreasing with lower power levels.
123 *
124 * IEEE80211_RADIOTAP_DB_TX_ATTENUATION u_int16_t decibels (dB)
125 *
126 * Transmit power expressed as decibel distance from max power
127 * set at factory calibration. 0 is max power. Monotonically
128 * nondecreasing with lower power levels.
129 *
130 * IEEE80211_RADIOTAP_DBM_TX_POWER int8_t decibels from
131 * one milliwatt (dBm)
132 *
133 * Transmit power expressed as dBm (decibels from a 1 milliwatt
134 * reference). This is the absolute power level measured at
135 * the antenna port.
136 *
137 * IEEE80211_RADIOTAP_FLAGS u_int8_t bitmap
138 *
139 * Properties of transmitted and received frames. See flags
140 * defined below.
141 *
142 * IEEE80211_RADIOTAP_ANTENNA u_int8_t antenna index
143 *
144 * Unitless indication of the Rx/Tx antenna for this packet.
145 * The first antenna is antenna 0.
146 *
147 * IEEE80211_RADIOTAP_FCS u_int32_t data
148 *
149 * FCS from frame in network byte order.
150 */
151 enum ieee80211_radiotap_type {
152 IEEE80211_RADIOTAP_TSFT = 0,
153 IEEE80211_RADIOTAP_FLAGS = 1,
154 IEEE80211_RADIOTAP_RATE = 2,
155 IEEE80211_RADIOTAP_CHANNEL = 3,
156 IEEE80211_RADIOTAP_FHSS = 4,
157 IEEE80211_RADIOTAP_DBM_ANTSIGNAL = 5,
158 IEEE80211_RADIOTAP_DBM_ANTNOISE = 6,
159 IEEE80211_RADIOTAP_LOCK_QUALITY = 7,
160 IEEE80211_RADIOTAP_TX_ATTENUATION = 8,
161 IEEE80211_RADIOTAP_DB_TX_ATTENUATION = 9,
162 IEEE80211_RADIOTAP_DBM_TX_POWER = 10,
163 IEEE80211_RADIOTAP_ANTENNA = 11,
164 IEEE80211_RADIOTAP_DB_ANTSIGNAL = 12,
165 IEEE80211_RADIOTAP_DB_ANTNOISE = 13,
166 IEEE80211_RADIOTAP_FCS = 14,
167 IEEE80211_RADIOTAP_EXT = 31,
168 };
169
170 /* Channel flags. */
171 #define IEEE80211_CHAN_TURBO 0x0010 /* Turbo channel */
172 #define IEEE80211_CHAN_CCK 0x0020 /* CCK channel */
173 #define IEEE80211_CHAN_OFDM 0x0040 /* OFDM channel */
174 #define IEEE80211_CHAN_2GHZ 0x0080 /* 2 GHz spectrum channel. */
175 #define IEEE80211_CHAN_5GHZ 0x0100 /* 5 GHz spectrum channel */
176 #define IEEE80211_CHAN_PASSIVE 0x0200 /* Only passive scan allowed */
177 #define IEEE80211_CHAN_DYN 0x0400 /* Dynamic CCK-OFDM channel */
178 #define IEEE80211_CHAN_GFSK 0x0800 /* GFSK channel (FHSS PHY) */
179
180 /* For IEEE80211_RADIOTAP_FLAGS */
181 #define IEEE80211_RADIOTAP_F_CFP 0x01 /* sent/received
182 * during CFP
183 */
184 #define IEEE80211_RADIOTAP_F_SHORTPRE 0x02 /* sent/received
185 * with short
186 * preamble
187 */
188 #define IEEE80211_RADIOTAP_F_WEP 0x04 /* sent/received
189 * with WEP encryption
190 */
191 #define IEEE80211_RADIOTAP_F_FRAG 0x08 /* sent/received
192 * with fragmentation
193 */
194 #define IEEE80211_RADIOTAP_F_FCS 0x10 /* frame includes FCS */
195 #define IEEE80211_RADIOTAP_F_DATAPAD 0x20 /* frame has padding between
196 * 802.11 header and payload
197 * (to 32-bit boundary)
198 */
199
200 /* Ugly macro to convert literal channel numbers into their mhz equivalents
201 * There are certianly some conditions that will break this (like feeding it '30')
202 * but they shouldn't arise since nothing talks on channel 30. */
203 #define ieee80211chan2mhz(x) \
204 (((x) <= 14) ? \
205 (((x) == 14) ? 2484 : ((x) * 5) + 2407) : \
206 ((x) + 1000) * 5)
207
208 #endif /* RADIOTAP_H */
209
+158
-0
utils.c less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 #include <stdlib.h>
14 #include <stdio.h>
15 #include <stdarg.h>
16 #include <string.h>
17 #include <stdint.h>
18 #include <crypt.h>
19 #include <unistd.h>
20 #include <ctype.h>
21 #include <netinet/in.h> /* for ntohs() */
22 #include <errno.h>
23 #include <sys/types.h>
24 #include "utils.h"
25
26 void lamont_hdump(unsigned char *bp, unsigned int length);
27 char *printmac(unsigned char *mac);
28
29 /* A better version of hdump, from Lamont Granquist. Modified slightly
30 by Fyodor ([email protected]) */
31 void lamont_hdump(unsigned char *bp, unsigned int length)
32 {
33
34 /* stolen from tcpdump, then kludged extensively */
35
36 static const char asciify[] =
37 "................................ !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~.................................................................................................................................";
38
39 const unsigned short *sp;
40 const unsigned char *ap;
41 unsigned int i, j;
42 int nshorts, nshorts2;
43 int padding;
44
45 printf("\n\t");
46 padding = 0;
47 sp = (unsigned short *)bp;
48 ap = (unsigned char *)bp;
49 nshorts = (unsigned int)length / sizeof(unsigned short);
50 nshorts2 = (unsigned int)length / sizeof(unsigned short);
51 i = 0;
52 j = 0;
53 while (1) {
54 while (--nshorts >= 0) {
55 printf(" %04x", ntohs(*sp));
56 sp++;
57 if ((++i % 8) == 0)
58 break;
59 }
60 if (nshorts < 0) {
61 if ((length & 1) && (((i - 1) % 8) != 0)) {
62 printf(" %02x ", *(unsigned char *)sp);
63 padding++;
64 }
65 nshorts = (8 - (nshorts2 - nshorts));
66 while (--nshorts >= 0) {
67 printf(" ");
68 }
69 if (!padding)
70 printf(" ");
71 }
72 printf(" ");
73
74 while (--nshorts2 >= 0) {
75 printf("%c%c", asciify[*ap], asciify[*(ap + 1)]);
76 ap += 2;
77 if ((++j % 8) == 0) {
78 printf("\n\t");
79 break;
80 }
81 }
82 if (nshorts2 < 0) {
83 if ((length & 1) && (((j - 1) % 8) != 0)) {
84 printf("%c", asciify[*ap]);
85 }
86 break;
87 }
88 }
89 if ((length & 1) && (((i - 1) % 8) == 0)) {
90 printf(" %02x", *(unsigned char *)sp);
91 printf(" %c",
92 asciify[*ap]);
93 }
94 printf("\n");
95 }
96
97 int str2mac(char *string, uint8_t *mac)
98 {
99
100 char *ptr, *next;
101 unsigned long val;
102 int i;
103
104 to_upper(string);
105
106 ptr = next = string;
107 for (i = 0; i < 6; i++) {
108 if ((val = strtoul(next, &ptr, 16)) > 255) {
109 return (-1);
110 }
111 mac[i] = (uint8_t) val;
112 if ((next == ptr) && (i != 6 - 1)) {
113 return (-1);
114 }
115 next = ptr + 1;
116 }
117
118 return (0);
119 }
120
121 void to_upper (char *s)
122 {
123
124 char *p;
125 char offset;
126
127 offset = 'A' - 'a';
128 for (p = s; *p != '\0'; p++) {
129 if (islower(*p)) {
130 *p += offset;
131 }
132 }
133 }
134
135
136 int str2hex (char *string, uint8_t *hexstr, int len)
137 {
138 char *ptr, *next;
139 unsigned long val;
140 int i;
141
142 ptr = next = string;
143 for(i=0;i < len;i++) {
144 if((val = strtoul(next, &ptr, 16)) > 255) {
145 errno = EINVAL;
146 return(-1);
147 }
148 hexstr[i] = (unsigned int)val;
149 if((next == ptr) && (i != len - 1)) {
150 errno = EINVAL;
151 return(-1);
152 }
153 next = ptr + 1;
154 }
155
156 return(1);
157 }
+18
-0
utils.h less more
0 /* Copyright (c) 2007, Joshua Wright <[email protected]>
1 *
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation. See COPYING for more
5 * details.
6 *
7 * This software is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 */
12
13 /* Prototypes */
14 void lamont_hdump(unsigned char *bp, unsigned int length);
15 int str2mac(char *string, uint8_t *mac);
16 void to_upper (char *s);
17 int str2hex (char *string, uint8_t *hexstr, int len);