aircrack-ng.c

java softwar for you to send out the request

		return(SUCCESS);

	/* we get the key for which we'll bruteforce the last 2 bytes from the pipe */
	if( safe_read( bf_pipe[nthread][0], (void *) wepkey, 64) != 64)
	{
		perror( "read failed" );
		kill( 0, SIGTERM );
		_exit( FAILURE );
	}
	else
		bf_nkeys[nthread]--;

	/* now we test the 256*256 keys... if we succeed we'll save it and exit the thread */
	if (opt.do_brute==2)
	{
		for( i = 0; i < 256; i++ )
		{
			wepkey[opt.keylen - 2] = i;

			for( j = 0; j < 256; j++ )
			{
				wepkey[opt.keylen - 1] = j;

				if( check_wep_key( wepkey, opt.keylen - 2, 0 ) == SUCCESS )
					return(SUCCESS);
			}
		}
	}
	else
	{
		for( j = 0; j < 256; j++ )
		{
			wepkey[opt.keylen - 1] = j;

			if( check_wep_key( wepkey, opt.keylen - 2, 0 ) == SUCCESS )
				return(SUCCESS);
		}
	}

	goto inner_bruteforcer_thread_start;

}

/* derive the PMK from the passphrase and the essid */

void calc_pmk( char *key, char *essid, uchar pmk[40] )
{
	int i, j, slen;
	uchar buffer[65];
	sha1_context ctx_ipad;
	sha1_context ctx_opad;
	sha1_context sha1_ctx;

	slen = strlen( essid ) + 4;

	/* setup the inner and outer contexts */

	memset( buffer, 0, sizeof( buffer ) );
	strncpy( (char *) buffer, key, sizeof( buffer ) - 1 );

	for( i = 0; i < 64; i++ )
		buffer[i] ^= 0x36;

	sha1_starts( &ctx_ipad );
	sha1_update( &ctx_ipad, buffer, 64 );

	for( i = 0; i < 64; i++ )
		buffer[i] ^= 0x6A;

	sha1_starts( &ctx_opad );
	sha1_update( &ctx_opad, buffer, 64 );

	/* iterate HMAC-SHA1 over itself 8192 times */

	essid[slen - 1] = '\1';
	hmac_sha1( (uchar *) key, strlen( key ),
		(uchar *) essid, slen, pmk );
	memcpy( buffer, pmk, 20 );

	for( i = 1; i < 4096; i++ )
	{
		memcpy( &sha1_ctx, &ctx_ipad, sizeof( sha1_ctx ) );
		sha1_update( &sha1_ctx, buffer, 20 );
		sha1_finish( &sha1_ctx, buffer );

		memcpy( &sha1_ctx, &ctx_opad, sizeof( sha1_ctx ) );
		sha1_update( &sha1_ctx, buffer, 20 );
		sha1_finish( &sha1_ctx, buffer );

		for( j = 0; j < 20; j++ )
			pmk[j] ^= buffer[j];
	}

	essid[slen - 1] = '\2';
	hmac_sha1( (uchar *) key, strlen( key ),
		(uchar *) essid, slen, pmk + 20 );
	memcpy( buffer, pmk + 20, 20 );

	for( i = 1; i < 4096; i++ )
	{
		memcpy( &sha1_ctx, &ctx_ipad, sizeof( sha1_ctx ) );
		sha1_update( &sha1_ctx, buffer, 20 );
		sha1_finish( &sha1_ctx, buffer );

		memcpy( &sha1_ctx, &ctx_opad, sizeof( sha1_ctx ) );
		sha1_update( &sha1_ctx, buffer, 20 );
		sha1_finish( &sha1_ctx, buffer );

		for( j = 0; j < 20; j++ )
			pmk[j + 20] ^= buffer[j];
	}
}

/* each thread computes two pairwise master keys at a time */

int crack_wpa_thread( void *arg )
{
	char  essid[36];
	char  key1[128], key2[128];
	uchar pmk1[128], pmk2[128];

	#ifdef __i386__

	uchar k_ipad[128], ctx_ipad[40];
	uchar k_opad[128], ctx_opad[40];
	uchar buffer[128], sha1_ctx[40];
	uchar wrkbuf[640];
	uint i, *u, *v, *w;
	#endif

	int slen, cid = (long) arg;

	/* receive the essid */

	memset( essid, 0, sizeof( essid ) );

	if( safe_read( mc_pipe[cid][0], (void *) essid, 32 ) != 32 )
	{
		perror( "read failed" );
		kill( 0, SIGTERM );
		_exit( FAILURE );
	}

	slen = strlen( essid ) + 4;

	while( 1 )
	{
		/* receive two passphrases */

		memset( key1, 0, sizeof( key1 ) );
		memset( key2, 0, sizeof( key2 ) );

		if( safe_read( mc_pipe[cid][0], (void *) key1, 128 ) != 128 ||
			safe_read( mc_pipe[cid][0], (void *) key2, 128 ) != 128 )
		{
			perror( "read passphrase failed" );
			kill( 0, SIGTERM );
			_exit( FAILURE );
		}

		key1[127] = '\0';
		key2[127] = '\0';

		#ifdef __i386__

		/* MMX available, so compute two PMKs in a single row */

		memset( k_ipad, 0, sizeof( k_ipad ) );
		memset( k_opad, 0, sizeof( k_opad ) );

		memcpy( k_ipad, key1, strlen( key1 ) );
		memcpy( k_opad, key1, strlen( key1 ) );

		memcpy( k_ipad + 64, key2, strlen( key2 ) );
		memcpy( k_opad + 64, key2, strlen( key2 ) );

		u = (uint *) ( k_ipad      );
		v = (uint *) ( k_ipad + 64 );
		w = (uint *) buffer;

		for( i = 0; i < 16; i++ )
		{
			/* interleave the data */

			*w++ = *u++ ^ 0x36363636;
			*w++ = *v++ ^ 0x36363636;
		}

		shammx_init( ctx_ipad );
		shammx_data( ctx_ipad, buffer, wrkbuf );

		u = (uint *) ( k_opad      );
		v = (uint *) ( k_opad + 64 );
		w = (uint *) buffer;

		for( i = 0; i < 16; i++ )
		{
			*w++ = *u++ ^ 0x5C5C5C5C;
			*w++ = *v++ ^ 0x5C5C5C5C;
		}

		shammx_init( ctx_opad );
		shammx_data( ctx_opad, buffer, wrkbuf );

		memset( buffer, 0, sizeof( buffer ) );

		/* use the buffer, luke */

		buffer[ 40] = buffer[ 44] = 0x80;
		buffer[122] = buffer[126] = 0x02;
		buffer[123] = buffer[127] = 0xA0;

		essid[slen - 1] = '\1';

		hmac_sha1( (uchar *) key1, strlen( key1 ),
			(uchar *) essid, slen,  pmk1 );

		hmac_sha1( (uchar *) key2, strlen( key2 ),
			(uchar *) essid, slen,  pmk2 );

		u = (uint *) pmk1;
		v = (uint *) pmk2;
		w = (uint *) buffer;

		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;

		for( i = 1; i < 4096; i++ )
		{
			memcpy( sha1_ctx, ctx_ipad, 40 );
			shammx_data( sha1_ctx, buffer, wrkbuf );
			shammx_ends( sha1_ctx, buffer );

			memcpy( sha1_ctx, ctx_opad, 40 );
			shammx_data( sha1_ctx, buffer, wrkbuf );
			shammx_ends( sha1_ctx, buffer );

			u = (uint *) pmk1;
			v = (uint *) pmk2;
			w = (uint *) buffer;

			/* de-interleave the digests */

			*u++ ^= *w++; *v++ ^= *w++;
			*u++ ^= *w++; *v++ ^= *w++;
			*u++ ^= *w++; *v++ ^= *w++;
			*u++ ^= *w++; *v++ ^= *w++;
			*u++ ^= *w++; *v++ ^= *w++;
		}

		essid[slen - 1] = '\2';

		hmac_sha1( (uchar *) key1, strlen( key1 ),
			(uchar *) essid, slen,  pmk1 + 20 );

		hmac_sha1( (uchar *) key2, strlen( key2 ),
			(uchar *) essid, slen,  pmk2 + 20 );

		u = (uint *) ( pmk1 + 20 );
		v = (uint *) ( pmk2 + 20 );
		w = (uint *) buffer;

		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;
		*w++ = *u++; *w++ = *v++;

		for( i = 1; i < 4096; i++ )
		{
			memcpy( sha1_ctx, ctx_ipad, 40 );
			shammx_data( sha1_ctx, buffer, wrkbuf );
			shammx_ends( sha1_ctx, buffer );

			memcpy( sha1_ctx, ctx_opad, 40 );
			shammx_data( sha1_ctx, buffer, wrkbuf );
			shammx_ends( sha1_ctx, buffer );

			u = (uint *) ( pmk1 + 20 );
			v = (uint *) ( pmk2 + 20 );
			w = (uint *) buffer;

			*u++ ^= *w++; *v++ ^= *w++;
			*u++ ^= *w++; *v++ ^= *w++;
			*u++ ^= *w++; *v++ ^= *w++;
		}

		#else

		/* not x86, use the generic SHA-1 C code */

		calc_pmk( key1, essid, pmk1 );
		calc_pmk( key2, essid, pmk2 );
		#endif

		/* send the passphrase & master keys */

		if( safe_write( cm_pipe[cid][1], (void *) key1, 128 ) != 128 ||
			safe_write( cm_pipe[cid][1], (void *) key2, 128 ) != 128 ||
			safe_write( cm_pipe[cid][1], (void *) pmk1,  32 ) !=  32 ||
			safe_write( cm_pipe[cid][1], (void *) pmk2,  32 ) !=  32 )
		{
			perror( "write pmk failed" );
			kill( 0, SIGTERM );
			_exit( FAILURE );
		}
	}
}

/* display the current wpa key info, matrix-like */

void show_wpa_stats( char *key, uchar pmk[32], uchar ptk[64],
uchar mic[16], int force )
{
	float delta;
	int i, et_h, et_m, et_s;
	char tmpbuf[28];

	#ifdef __i386__
	__asm__( "emms" );			 /* clean up the fp regs */
	#endif

	if( chrono( &t_stats, 0 ) < 0.08 && force == 0 )
		return;

	chrono( &t_stats, 1 );

	delta = chrono( &t_begin, 0 );

	et_h =   delta / 3600;
	et_m = ( delta - et_h * 3600 ) / 60;
	et_s =   delta - et_h * 3600 - et_m * 60;

	if( ( delta = chrono( &t_kprev, 0 ) ) >= 6 )
	{
		t_kprev.tv_sec += 3;
		nb_kprev /= 2;
	}

	if( opt.l33t ) printf( "\33[33;1m" );
	printf( "\33[5;20H[%02d:%02d:%02d] %lld keys tested "
		"(%2.2f k/s)", et_h, et_m, et_s,
		nb_tried, (float) nb_kprev / delta );

	memset( tmpbuf, ' ', sizeof( tmpbuf ) );
	memcpy( tmpbuf, key, strlen( key ) > 27 ? 27 :
	strlen( key ) );
	tmpbuf[27] = '\0';

	if( opt.l33t ) printf( "\33[37;1m" );
	printf( "\33[8;24HCurrent passphrase: %s\n", tmpbuf );

	if( opt.l33t ) printf( "\33[32;22m" );
	printf( "\33[11;7HMaster Key     : " );

	if( opt.l33t ) printf( "\33[32;1m" );
	for( i = 0; i < 32; i++ )
	{
		if( i == 16 ) printf( "\n\33[23C" );
		printf( "%02X ", pmk[i] );
	}

	if( opt.l33t ) printf( "\33[32;22m" );
	printf( "\33[14;7HTranscient Key : " );

	if( opt.l33t ) printf( "\33[32;1m" );
	for( i = 0; i < 64; i++ )
	{
		if( i > 0 && i % 16 == 0 ) printf( "\n\33[23C" );
		printf( "%02X ", ptk[i] );
	}

	if( opt.l33t ) printf( "\33[32;22m" );
	printf( "\33[19;7HEAPOL HMAC     : " );

	if( opt.l33t ) printf( "\33[32;1m" );
	for( i = 0; i < 16; i++ )
		printf( "%02X ", mic[i] );

	printf( "\n" );
}

int do_wpa_crack( struct AP_info *ap )
{
	int i, cid;
	char key1[128], key2[128];

	uchar pke[100];
	uchar pmk1[40], ptk1[80];
	uchar pmk2[40], ptk2[80];
	uchar mic1[20], mic2[20];

	/* send the ESSID to each thread */

	for( cid = 0; cid < opt.nbcpu; cid++ )
	{
		if( safe_write( mc_pipe[cid][1], (void *) ap->essid, 32 ) != 32 )
		{
			perror( "write essid failed" );
			kill( 0, SIGTERM );
			_exit( FAILURE );
		}
	}

	/* pre-compute the key expansion buffer */

	memcpy( pke, "Pairwise key expansion", 23 );

	if( memcmp( ap->wpa.stmac, ap->bssid, 6 ) < 0 )
	{
		memcpy( pke + 23, ap->wpa.stmac, 6 );
		memcpy( pke + 29, ap->bssid, 6 );
	}
	else
	{
		memcpy( pke + 23, ap->bssid, 6 );
		memcpy( pke + 29, ap->wpa.stmac, 6 );
	}

	if( memcmp( ap->wpa.snonce, ap->wpa.anonce, 32 ) < 0 )
	{
		memcpy( pke + 35, ap->wpa.snonce, 32 );
		memcpy( pke + 67, ap->wpa.anonce, 32 );
	}
	else
	{
		memcpy( pke + 35, ap->wpa.anonce, 32 );
		memcpy( pke + 67, ap->wpa.snonce, 32 );
	}

	memset( key1, 0, sizeof( key1 ) );
	memset( key2, 0, sizeof( key1 ) );

	if( ! opt.is_quiet )
	{
		if( opt.l33t )
			printf( "\33[37;40m" );

		printf( "\33[2J" );

		if( opt.l33t )
			printf( "\33[34;1m" );

		printf("\33[2;34H%s",progname);
	}

	while( 1 )
	{
		for( cid = 0; cid < opt.nbcpu; cid++ )
		{
			/* read a couple of keys (skip those < 8 chars) */

			do
			{
				if( fgets( key1, sizeof( key1 ), opt.dict ) == NULL )
				{
					if( opt.l33t )
						printf( "\33[32;22m" );

					printf( "\nPassphrase not in dictionnary\n" );

					return( FAILURE );
				}

				i = strlen( key1 );

				if( key1[i - 1] == '\n' ) key1[--i] = '\0';
				if( key1[i - 1] == '\r' ) key1[--i] = '\0';

			}
			while( i < 8 );

			do
			{
				if( fgets( key2, sizeof( key2 ), opt.dict ) == NULL )
					break;

				i = strlen( key2 );

				if( key2[i - 1] == '\n' ) key2[--i] = '\0';
				if( key2[i - 1] == '\r' ) key2[--i] = '\0';

			}
			while( i < 8 );

			/* send the keys */

			if( safe_write( mc_pipe[cid][1], (void *) key1, 128 ) != 128 ||
				safe_write( mc_pipe[cid][1], (void *) key2, 128 ) != 128 )
			{
				perror( "write passphrase failed" );
				return( FAILURE );
			}
		}

		for( cid = 0; cid < opt.nbcpu; cid++ )
		{
			/* collect and test the master keys */

			if( safe_read( cm_pipe[cid][0], (void *) key1, 128 ) != 128 ||
				safe_read( cm_pipe[cid][0], (void *) key2, 128 ) != 128 ||
				safe_read( cm_pipe[cid][0], (void *) pmk1,  32 ) !=  32 ||
				safe_read( cm_pipe[cid][0], (void *) pmk2,  32 ) !=  32 )
			{
				perror( "read pmk failed" );
				return( FAILURE );
			}

			/* compute the pairwise transient key and the frame MIC */

			for( i = 0; i < 4; i++ )
			{
				pke[99] = i;
				hmac_sha1( pmk1, 32, pke, 100, ptk1 + i * 20 );
				hmac_sha1( pmk2, 32, pke, 100, ptk2 + i * 20 );
			}

			if( ap->wpa.keyver == 1 )
			{
				hmac_md5( ptk1, 16, ap->wpa.eapol, ap->wpa.eapol_size, mic1 );
				hmac_md5( ptk2, 16, ap->wpa.eapol, ap->wpa.eapol_size, mic2 );
			}
			else
			{
				hmac_sha1( ptk1, 16, ap->wpa.eapol, ap->wpa.eapol_size, mic1 );
				hmac_sha1( ptk2, 16, ap->wpa.eapol, ap->wpa.eapol_size, mic2 );
			}

			if( memcmp( mic1, ap->wpa.keymic, 16 ) == 0 )
			{
				memcpy( key2, key1, 128 );
				memcpy( pmk2, pmk1,  32 );
				memcpy( ptk2, ptk1,  64 );
				memcpy( mic2, mic1,  16 );
			}

			if( memcmp( mic2, ap->wpa.keymic, 16 ) == 0 )
			{
				if( opt.is_quiet )
				{
					printf( "KEY FOUND! [ %s ]\n", key2 );
					return( SUCCESS );
				}

				show_wpa_stats( key2, pmk2, ptk2, mic2, 1 );

				if( opt.l33t )
					printf( "\33[31;1m" );

				printf( "\33[8;%dH\33[2KKEY FOUND! [ %s ]\33[11B\n",
					( 80 - 15 - (int) strlen( key2 ) ) / 2, key2 );

				if( opt.l33t )
					printf( "\33[32;22m" );

				return( SUCCESS );
			}

			nb_tried += 2;
			nb_kprev += 2;

			if( ! opt.is_quiet )
				show_wpa_stats( key1, pmk1, ptk1, mic1, 0 );
		}
	}

	return( FAILURE );
}

int intr_read = 0;

void sighandler( int signum )
{
	#if ((defined(__INTEL_COMPILER) || defined(__ICC)) && defined(DO_PGO_DUMP))
	_PGOPTI_Prof_Dump();
	#endif
	signal( signum, sighandler );

	if( signum == SIGQUIT )
		_exit( SUCCESS );

	if( signum == SIGTERM )
		_exit( FAILURE );

	if( signum == SIGINT )
	#if ((defined(__INTEL_COMPILER) || defined(__ICC)) && defined(DO_PGO_DUMP))
		_exit( FAILURE );
	#else
	intr_read++;
	#endif

	if( signum == SIGWINCH )
		printf( "\33[2J\n" );
}

int main( int argc, char *argv[] )
{
	int i, n, ret, max_cpu, option;
	char *s, buf[128];
	struct AP_info *ap_cur;

	ret = FAILURE;

	progname = getVersion("Aircrack-ng", _MAJ, _MIN, _SUB_MIN, _BETA);

	memset( &opt, 0, sizeof( opt ) );

	#ifdef _SC_NPROCESSORS_ONLN

	max_cpu   = sysconf(_SC_NPROCESSORS_ONLN);
	opt.nbcpu = max_cpu;

	#else

	max_cpu   = 255;