📄 aircrack-ng.c
字号:
opt.nbcpu = 1; #endif /* check the arguments */ if( argc < 2 ) { usage: printf (usage, progname, ( max_cpu == 1 ) ? "\n" : "\n -p <nbcpu> : # of CPU to use (by default, all CPUs)\n" ); return( ret ); } opt.do_brute = 1; opt.do_mt_brute = 1; opt.showASCII = 0; while( 1 ) { if ( max_cpu == 1 ) option = getopt( argc, argv, "a:e:b:qcthd:m:n:i:f:k:x::ysw:0" ); else option = getopt( argc, argv, "a:e:b:p:qcthd:m:n:i:f:k:x::Xysw:0" ); if( option < 0 ) break; switch( option ) { case 'a' : sscanf( optarg, "%d", &opt.amode ); if ( strcasecmp( optarg, "wep" ) == 0 ) opt.amode = 1; else if ( strcasecmp( optarg, "wpa" ) == 0 ) opt.amode = 2; if( opt.amode != 1 && opt.amode != 2 ) { printf( "Invalid attack mode.\n" ); return( FAILURE ); } break; case 'e' : memset( opt.essid, 0, sizeof( opt.essid ) ); strncpy( opt.essid, optarg, sizeof( opt.essid ) - 1 ); opt.essid_set = 1; break; case 'b' : if (getmac(optarg, 1, opt.bssid) != 0) { printf( "Invalid BSSID (not a MAC).\n" ); return( FAILURE ); } opt.bssid_set = 1; break; case 'p' : if( sscanf( optarg, "%d", &opt.nbcpu ) != 1 || opt.nbcpu < 1 || opt.nbcpu > max_cpu ) { printf( "Invalid number of processes.\n" ); return( FAILURE ); } break; case 'q' : opt.is_quiet = 1; break; case 'c' : opt.is_alnum = 1; break; case 'h' : opt.is_fritz = 1; break; case 't' : opt.is_bcdonly = 1; break; case 'd' : i = 0 ; n = 0; s = optarg; while( s[i] != '\0' ) { if (s[i] == 'x') s[i] = 'X'; if ( s[i] == '-' || s[i] == ':' || s[i] == ' ') i++; else s[n++] = s[i++]; } s[n] = '\0' ; buf[0] = s[0]; buf[1] = s[1]; buf[2] = '\0'; i = 0; while( ( sscanf( buf, "%x", &n ) == 1 ) || ( buf[0] == 'X' && buf[1] == 'X' ) ) { if ( buf[0] == 'X' && buf[1] == 'X' ) { opt.debug_row[i++] = 0 ; } else { if ( n < 0 || n > 255 ) { printf( "Invalid debug key.\n" ); return( FAILURE ); } opt.debug[i] = n ; opt.debug_row[i++] = 1; } if( i >= 64 ) break; s += 2; buf[0] = s[0]; buf[1] = s[1]; } break; case 'm' : if ( getmac(optarg, 1, opt.maddr) != 0) { printf( "Invalid MAC address filter.\n" ); return( FAILURE ); } break; case 'n' : if( sscanf( optarg, "%d", &opt.keylen ) != 1 || ( opt.keylen != 64 && opt.keylen != 128 && opt.keylen != 152 && opt.keylen != 256 && opt.keylen != 512 ) ) { printf( "Invalid WEP key length.\n" ); return( FAILURE ); } opt.keylen = ( opt.keylen / 8 ) - 3; break; case 'i' : if( sscanf( optarg, "%d", &opt.index ) != 1 || opt.index < 1 || opt.index > 4 ) { printf( "Invalid WEP key index.\n" ); return( FAILURE ); } break; case 'f' : if( sscanf( optarg, "%f", &opt.ffact ) != 1 || opt.ffact < 1 || opt.ffact > 32 ) { printf( "Invalid fudge factor.\n" ); return( FAILURE ); } break; case 'k' : if( sscanf( optarg, "%d", &opt.korek ) != 1 || opt.korek < 1 || opt.korek > N_ATTACKS ) { printf( "Invalid KoreK attack strategy.\n" ); return( FAILURE ); } K_COEFF[(opt.korek) - 1] = 0; break; case 'x' : opt.do_brute = 0; if (optarg) { if (sscanf(optarg, "%d", &opt.do_brute)!=1 || opt.do_brute<0 || opt.do_brute>2) { printf("Invalid option -x%s\n", optarg); return FAILURE; } } break; case 'X' : opt.do_mt_brute = 0; break; case 'y' : opt.do_testy = 1; break; case 's' : opt.showASCII = 1; break; case 'w' : if( strcmp( optarg, "-" ) == 0 ) { if( ( opt.dict = fdopen( 0, "r" ) ) == NULL ) { perror( "fopen(dictionary) failed" ); return( FAILURE ); } opt.no_stdin = 1; } else { if( ( opt.dict = fopen( optarg, "r" ) ) == NULL ) { perror( "fopen(dictionary) failed" ); return( FAILURE ); } fseek(opt.dict, 0L, SEEK_END); if ( ftell( opt.dict ) <= 0L ) { fclose( opt.dict ); printf( "Empty dictionnary\n" ); return( FAILURE ); } rewind( opt.dict ); } break; case '0' : opt.l33t = 1; break; default : goto usage; } } if( ! ( argc - optind ) ) goto usage; if( opt.amode == 2 && opt.dict == NULL ) { nodict: printf( "Please specify a dictionary (option -w).\n" ); goto exit_main; } if( (! opt.essid_set && ! opt.bssid_set) && ( opt.is_quiet || opt.no_stdin ) ) { printf( "Please specify an ESSID or BSSID.\n" ); goto exit_main; } /* start one thread per input file */ signal( SIGINT, sighandler ); signal( SIGQUIT, sighandler ); signal( SIGTERM, sighandler ); signal( SIGALRM, SIG_IGN ); pthread_mutex_init( &mx_apl, NULL ); pthread_mutex_init( &mx_eof, NULL ); pthread_cond_init( &cv_eof, NULL ); ap_1st = NULL; n = argc - optind; do { pthread_t tid; if( strcmp( argv[optind], "-" ) == 0 ) opt.no_stdin = 1; if( pthread_create( &tid, NULL, (void *) read_thread, (void *) argv[optind] ) != 0 ) { perror( "pthread_create failed" ); goto exit_main; } usleep( 131071 ); } while( ++optind < argc ); /* wait until each thread reaches EOF */ pthread_mutex_lock( &mx_eof ); if( ! opt.is_quiet ) { printf( "Reading packets, please wait...\r" ); fflush( stdout ); } while( nb_eof < n && ! intr_read ) pthread_cond_wait( &cv_eof, &mx_eof ); pthread_mutex_unlock( &mx_eof ); if( ! opt.is_quiet && ! opt.no_stdin ) printf( "\33[KRead %ld packets.\n\n", nb_pkt ); #ifndef DO_PGO_DUMP signal( SIGINT, SIG_DFL ); /* we want sigint to stop and dump pgo data */ #endif if( ap_1st == NULL ) { printf( "No networks found, exiting.\n" ); goto exit_main; } if( ! opt.essid_set && ! opt.bssid_set ) { /* ask the user which network is to be cracked */ printf( " # BSSID%14sESSID%21sEncryption\n\n", "", "" ); i = 1; ap_cur = ap_1st; while( ap_cur != NULL ) { printf( "%4d %02X:%02X:%02X:%02X:%02X:%02X %-24s ", i, ap_cur->bssid[0], ap_cur->bssid[1], ap_cur->bssid[2], ap_cur->bssid[3], ap_cur->bssid[4], ap_cur->bssid[5], ap_cur->essid ); if( ap_cur->eapol ) printf( "EAPOL+" ); switch( ap_cur->crypt ) { case 0: printf( "None (%d.%d.%d.%d)\n", ap_cur->lanip[0], ap_cur->lanip[1], ap_cur->lanip[2], ap_cur->lanip[3] ); break; case 1: printf( "No data - WEP or WPA\n" ); break; case 2: printf( "WEP (%ld IVs)\n", ap_cur->nb_ivs ); break; case 3: printf( "WPA (%d handshake)\n", ap_cur->wpa.state == 15 ); break; default: printf( "Unknown\n" ); break; } i++; ap_cur = ap_cur->next; } printf( "\n" ); if( ap_1st->next != NULL ) { do { printf( "Index number of target network ? " ); fflush( stdout ); scanf( "%127s", buf ); if( ( n = atoi( buf ) ) < 1 ) continue; i = 1; ap_cur = ap_1st; while( ap_cur != NULL && i < n ) { i++; ap_cur = ap_cur->next; } } while( n < 0 || ap_cur == NULL ); } else { printf( "Choosing first network as target.\n" ); sleep( 2 ); ap_cur = ap_1st; } printf( "\n" ); memcpy( opt.bssid, ap_cur->bssid, 6 ); opt.bssid_set = 1; } /* mark the targeted access point(s) */ ap_cur = ap_1st; while( ap_cur != NULL ) { if( memcmp( opt.maddr, BROADCAST, 6 ) == 0 || ( opt.bssid_set && ! memcmp( opt.bssid, ap_cur->bssid, 6 ) ) || ( opt.essid_set && ! strcmp( opt.essid, ap_cur->essid ) ) ) ap_cur->target = 1; ap_cur = ap_cur->next; } ap_cur = ap_1st; while( ap_cur != NULL ) { if( ap_cur->target ) break; ap_cur = ap_cur->next; } if( ap_cur == NULL ) { printf( "No matching network found - check your %s.\n", ( opt.essid_set ) ? "essid" : "bssid" ); goto exit_main; } if( ap_cur->crypt < 2 ) { switch( ap_cur->crypt ) { case 0: printf( "Target network doesn't seem encrypted.\n" ); break; default: printf( "Got no data packets from target network!\n" ); break; } goto exit_main; } /* create the cracker<->master communication pipes */ for( i = 0; i < opt.nbcpu; i++ ) { pipe( mc_pipe[i] ); pipe( cm_pipe[i] ); if (opt.amode<=1 && opt.nbcpu>1 && opt.do_brute && opt.do_mt_brute) { pipe(bf_pipe[i]); bf_nkeys[i] = 0; } } /* launch the attack */ nb_tried = 0; nb_kprev = 0; chrono( &t_begin, 1 ); chrono( &t_stats, 1 ); chrono( &t_kprev, 1 ); signal( SIGWINCH, sighandler ); if( opt.amode == 1 ) goto crack_wep; if( opt.amode == 2 ) goto crack_wpa; if( ap_cur->crypt == 2 ) { crack_wep: if( opt.keylen == 0 ) opt.keylen = 13; if( opt.ffact == 0 ) { if( ! opt.do_testy ) { if( opt.keylen == 5 ) opt.ffact = 5; else opt.ffact = 2; } else opt.ffact = 30; } memset( &wep, 0, sizeof( wep ) ); for( i = 0; i < opt.nbcpu; i++ ) { /* start one thread per cpu */ pthread_t tid; if (opt.amode<=1 && opt.nbcpu>1 && opt.do_brute && opt.do_mt_brute) { if (pthread_create( &tid, NULL, (void *) inner_bruteforcer_thread, (void *) (long) i ) != 0) { perror( "pthread_create failed" ); goto exit_main; } } if( pthread_create( &tid, NULL, (void *) crack_wep_thread, (void *) (long) i ) != 0 ) { perror( "pthread_create failed" ); goto exit_main; } } if( ! opt.do_testy ) { do { ret = do_wep_crack1( 0 ); } while( ret == RESTART ); if( ret == FAILURE ) { printf( " Attack failed. Possible reasons:\n\n" " * Out of luck: you must capture more IVs. Usually, 104-bit WEP\n" " can be cracked with about one million IVs, sometimes more.\n\n" " * If all votes seem equal, or if there are many negative votes,\n" " then the capture file is corrupted, or the key is not static.\n\n" " * A false positive prevented the key from being found. Try to\n" " disable each korek attack (-k 1 .. 17), raise the fudge factor\n" " (-f)" ); if (opt.do_testy) printf( "and try the experimental bruteforce attacks (-y)." ); printf( "\n" ); } } else { for( i = opt.keylen - 3; i < opt.keylen - 2; i++ ) { do { ret = do_wep_crack2( i ); } while( ret == RESTART ); if( ret == SUCCESS ) break; } if( ret == FAILURE ) { printf( " Attack failed. Possible reasons:\n\n" " * Out of luck: you must capture more IVs. Usually, 104-bit WEP\n" " can be cracked with about one million IVs, sometimes more.\n\n" " * If all votes seem equal, or if there are many negative votes,\n" " then the capture file is corrupted, or the key is not static.\n\n" " * A false positive prevented the key from being found. Try to\n" " disable each korek attack (-k 1 .. 17), raise the fudge factor\n" " (-f)" ); if (opt.do_testy) printf( "or try the standard attack mode instead (no -y option)." ); printf( "\n" ); } } } if( ap_cur->crypt == 3 ) { crack_wpa: if ( opt.dict == NULL ) goto nodict; ap_cur = ap_1st; while( ap_cur != NULL ) { if( ap_cur->target && ap_cur->wpa.state == 15 ) break; ap_cur = ap_cur->next; } if( ap_cur == NULL ) { printf( "No valid WPA handshakes found.\n⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -