airdecap.c

用于wfi无线密码的破解,在linux或WINDOWS下,最好不要用intel的无线网卡

    XOR( MIC, AAD + 16, 16 );
    aes_encrypt( &aes_ctx, MIC, MIC );

    B0[0] &= 0x07;
    B0[14] = B0[15] = 0;
    aes_encrypt( &aes_ctx, B0, B );
    XOR( h80211 + caplen - 8, B, 8 );

    blocks = ( data_len + 16 - 1 ) / 16;
    last = data_len % 16;
    offset = z + 8;

    for( i = 1; i <= blocks; i++ )
    {
        n = ( last > 0 && i == blocks ) ? last : 16;

        B0[14] = ( i >> 8 ) & 0xFF;
        B0[15] =   i & 0xFF;

        aes_encrypt( &aes_ctx, B0, B );
        XOR( h80211 + offset, B, n );
        XOR( MIC, h80211 + offset, n );
        aes_encrypt( &aes_ctx, MIC, MIC );

        offset += n;
    }

    return( memcmp( h80211 + offset, MIC, 8 ) == 0 );
}

struct decap_stats
{
    unsigned long nb_read;      /* # of packets read       */
    unsigned long nb_wep;       /* # of WEP data packets   */
    unsigned long nb_wpa;       /* # of WPA data packets   */
    unsigned long nb_plain;     /* # of plaintext packets  */
    unsigned long nb_unwep;     /* # of decrypted WEP pkt  */
    unsigned long nb_unwpa;     /* # of decrypted WPA pkt  */
}
stats;

struct options
{
    int no_convert;
    uchar bssid[6];
    uchar pmk[40];
    uchar essid[36];
    uchar passphrase[65];
    uchar wepkey[64];
    int weplen, crypt;
}
opt;

uchar buffer[65536];
uchar tmpbuf[65536];

int prompt_exit( int retval )
{
    int i;
    printf( "\n  Press Ctrl-C to exit.\n" );
    scanf( "%d", &i );
    exit( retval );
}

/* this routine handles to 802.11 to Ethernet translation */

int write_packet( FILE *f_out, struct pcap_pkthdr *pkh, uchar *h80211 )
{
    int n;
    uchar arphdr[12];

    if( opt.no_convert )
    {
        if( buffer != h80211 )
            memcpy( buffer, h80211, pkh->caplen );
    }
    else
    {
        /* create the Ethernet link layer (MAC dst+src) */

        switch( h80211[1] & 3 )
        {
            case  0:    /* To DS = 0, From DS = 0: DA, SA, BSSID */

                memcpy( arphdr + 0, h80211 +  4, 6 );
                memcpy( arphdr + 6, h80211 + 10, 6 );
                break;

            case  1:    /* To DS = 1, From DS = 0: BSSID, SA, DA */

                memcpy( arphdr + 0, h80211 + 16, 6 );
                memcpy( arphdr + 6, h80211 + 10, 6 );
                break;

            case  2:    /* To DS = 0, From DS = 1: DA, BSSID, SA */

                memcpy( arphdr + 0, h80211 +  4, 6 );
                memcpy( arphdr + 6, h80211 + 16, 6 );
                break;

            default:    /* To DS = 1, From DS = 1: RA, TA, DA, SA */

                memcpy( arphdr + 0, h80211 + 16, 6 );
                memcpy( arphdr + 6, h80211 + 24, 6 );
                break;
        }

        /* remove the 802.11 + LLC header */

        if( ( h80211[1] & 3 ) != 3 )
        {
            pkh->len    -= 24 + 6;
            pkh->caplen -= 24 + 6;

            memcpy( buffer + 12, h80211 + 30, pkh->caplen );
        }
        else
        {
            pkh->len    -= 30 + 6;
            pkh->caplen -= 30 + 6;

            memcpy( buffer + 12, h80211 + 36, pkh->caplen );
        }

        memcpy( buffer, arphdr, 12 );

        pkh->len    += 12;
        pkh->caplen += 12;
    }

    n = sizeof( struct pcap_pkthdr );

    if( fwrite( pkh, 1, n, f_out ) != (size_t) n )
    {
        perror( "  fwrite(packet header) failed" );
        prompt_exit( 1 );
    }

    n = pkh->caplen;

    if( fwrite( buffer, 1, n, f_out ) != (size_t) n )
    {
        perror( "  fwrite(packet data) failed" );
        prompt_exit( 1 );
    }

    return( 0 );
}

int main( int argc, char *argv[] )
{
    time_t tt;
    uint magic;
    FILE *f_in, *f_out;
    unsigned long crc;
    int i = 0, n, z, linktype;
    uchar ZERO[32], *s, *h80211;
    uchar bssid[6], stmac[6];

    struct ST_info *st_1st;
    struct ST_info *st_cur;
    struct ST_info *st_prv;
    struct pcap_file_header pfh;
    struct pcap_pkthdr pkh;    

    /* parse the arguments */

    memset( ZERO, 0, sizeof( ZERO ) );
    memset( &opt, 0, sizeof( opt  ) );

    /* init some stuff */

    GetModuleFileName( GetModuleHandle( NULL ),
                       buffer, sizeof( buffer ) );

    i = strlen( buffer ) - 1;

    while( i > 0 )
    {
        if( buffer[i] == '\\' )
        {
            buffer[i] =  '\0';
            break;
        }

        i--;
    }

    SetCurrentDirectory( buffer );

    set_console_icon( " airdecap 2.3 " );
    set_console_size( 38, 80 );

    printf( "\n\n\n\t\t" );
    set_text_color( BLUE_WHITE );
    printf( "airdecap 2.3 - (C) 2004,2005 Christophe Devine" );
    set_text_color( TEXTATTR );
    printf( "\n\n\n" );

    /* ask the arguments */

ask_infile:

    if( argc < 2 )
    {
        printf( "\n  Input .cap file -> " );
        scanf( "%s", buffer );
        argv[1] = buffer;
    }

    if( ( f_in = fopen( argv[1], "rb" ) ) == NULL )
    {
        printf( "\n  Could not open \"%s\".\n", argv[1] );
        goto ask_infile;
    }

    n = strlen( argv[1] );

    if( n > 4 && argv[1][n - 4] == '.' )
    {
        memcpy( tmpbuf, argv[1], n - 4 );
        memcpy( tmpbuf + n - 4, "-dec", 4 );
        memcpy( tmpbuf + n, argv[1] + n - 4, 5 );
    }
    else
    {
        if( n > 5 && argv[1][n - 5] == '.' )
        {
            memcpy( tmpbuf, argv[1], n - 5 );
            memcpy( tmpbuf + n - 5, "-dec", 4 );
            memcpy( tmpbuf + n - 1, argv[1] + n - 5, 6 );
        }
        else
            sprintf( tmpbuf, "%s-dec", argv[1] );
    }

    if( ( f_out = fopen( tmpbuf, "wb+" ) ) == NULL )
    {
        printf( "\n  Could not create \"%s\".\n", tmpbuf );
        prompt_exit( 1 );
    }

    printf( "\n" );

ask_bssid:

    printf( "  BSSID ('.' = no MAC filter) -> " );
    scanf( "%s", buffer );

    memset( opt.bssid, 0, 6 );

    if( buffer[0] != '.' )
    {
        i = 0;
        s = buffer;

        while( sscanf( s, "%x", &n ) == 1 )
        {
            if( n < 0 || n > 255 )
                goto ask_bssid;

            opt.bssid[i] = n;

            if( ++i > 6 ) break;

            if( ! ( s = strchr( s, ':' ) ) )
                break;

            s++;
        }

        if( i != 6 )
            goto ask_bssid;
    }

    printf( "\n  Mode: 1 = convert unencrypted\n"
            "        2 = decrypt static WEP\n"
            "        3 = decrypt WPA-PSK\n\n" );

ask_mode:

    printf( "     -> " );
    scanf( "%s", buffer );
    opt.crypt = atoi( buffer );
    if( opt.crypt < 1 || opt.crypt > 3 )
        goto ask_mode;
    opt.crypt--;

    if( opt.crypt == CRYPT_WEP )
    {
        printf( "\n" );

ask_wepkey:

        printf( "  WEP key in hex. -> " );
        scanf( "%s", buffer );

        i = 0;
        s = buffer;

        tmpbuf[0] = s[0];
        tmpbuf[1] = s[1];
        tmpbuf[2] = '\0';

        while( sscanf( tmpbuf, "%x", &n ) == 1 )
        {
            if( n < 0 || n > 255 )
                goto ask_wepkey;

            opt.wepkey[i++] = n;

            if( i >= 64 ) break;

            s += 2;

            if( s[0] == ':' || s[0] == '-' )
                s++;

            if( s[0] == '\0' || s[1] == '\0' )
                break;

            tmpbuf[0] = s[0];
            tmpbuf[1] = s[1];
        }

        if( i != 5 && i != 13 && i != 29 && i != 61 )
            goto ask_wepkey;

        opt.weplen = i;
    }

    if( opt.crypt == CRYPT_WPA )
    {
        int wpamode;

        printf( "\n  WPA:  1 = specify 256-bit PMK\n"
                "        2 = specify ESSID & passphrase\n\n" );

ask_wpamode:

        printf( "     -> " );
        scanf( "%s", buffer );
        wpamode = atoi( buffer );
        if( wpamode < 1 || wpamode > 2 )
            goto ask_wpamode;

        printf( "\n" );

        if( wpamode == 1 )
        {
ask_pmk:
            printf( "  PMK (256-bit hex value) -> " );
            scanf( "%s", buffer );

            i = 0;
            s = buffer;

            tmpbuf[0] = s[0];
            tmpbuf[1] = s[1];
            tmpbuf[2] = '\0';

            while( sscanf( tmpbuf, "%x", &n ) == 1 )
            {
                if( n < 0 || n > 255 )
                    goto ask_pmk;

                opt.pmk[i++] = n;

                if( i >= 32 ) break;

                s += 2;

                if( s[0] == ':' || s[0] == '-' )
                    s++;

                if( s[0] == '\0' || s[1] == '\0' )
                    break;

                tmpbuf[0] = s[0];
                tmpbuf[1] = s[1];
            }

            if( i != 32 )
                goto ask_pmk;
        }

        if( wpamode == 2 )
        {
            printf( "  Network ESSID  -> " );
            scanf( "%s", buffer );
            buffer[33] = '\0';
            strcpy( opt.essid, buffer );

            printf( "  Passphrase     -> " );
            scanf( "%s", buffer );
            buffer[65] = '\0';
            strcpy( opt.passphrase, buffer );

            calc_pmk( opt.passphrase, opt.essid, opt.pmk );
        }
    }